Professional Documents
Culture Documents
JMLSG Part I
JMLSG Part I
Prevention of
money laundering/
combating terrorist
financing
Contents
Paragraphs
Preface
Executive summary
Introduction 1.1-1.8
International AML/CFT standards and legislation 1.9-1.16
The UK legal and regulatory framework 1.17-1.24
General legal and regulatory obligations and expectations 1.25-1.27
Relationship between money laundering, terrorist financing and other
financial crime 1.28
Obligations on all firms 1.29-1.32
Obligations on FCA-regulated firms subject to the Senior Manager Regime 1.33-1.34
Obligations on all FCA-regulated firms 1.35-1.48
Exemptions from legal and regulatory obligations 1.49-1.52
Senior management should adopt a formal policy, and carry out a risk assessment,
in relation to financial crime prevention 1.53-1.59
Application of group policies outside the UK 1.60-1.64
Extra-territoriality of some overseas jurisdictions’ regimes 1.65
Annex 4-I – Considerations in assessing the level of ML/TF risk in different jurisdictions
Annex 4-II – Illustrative risk factors relating to customer situations
Annex 4-III – Considerations in keeping risk assessments up to date
Glossary of terms
PREFACE
1. In the UK, there has been a long-standing obligation to have effective procedures in place to detect
and prevent money laundering. The UK Money Laundering Regulations, applying to financial
institutions, date from 1993, the current Regulations being those of 2017. The offence of money
laundering was contained in various acts of parliament (such as the Criminal Justice Act 1988 and
the Drug Trafficking Offences Act 1986). The Proceeds of Crime Act 2002 (POCA) consolidated,
updated and reformed the law relating to money laundering to include any dealing in criminal
property. Specific obligations to combat terrorist financing were set out in the Terrorism Act 2000.
Many of the procedures which will be appropriate to address these obligations are similar, and firms
can often employ the same systems and controls to meet them.
• outline the legal and regulatory framework for anti-money laundering/countering terrorist
financing (AML/CTF) requirements and systems across the financial services sector;
• interpret the requirements of the relevant law and regulations, and how they may be
implemented in practice;
• indicate good industry practice in AML/CTF procedures through a proportionate, risk-based
approach; and
• assist firms to design and implement the systems and controls necessary to mitigate the risks
of the firm being used in connection with money laundering and the financing of terrorism.
3. This guidance sets out what is expected of firms and their staff in relation to the prevention of money
laundering and terrorist financing, but allows them some discretion as to how they apply the
requirements of the UK AML/CTF regime in the particular circumstances of the firm, and its
products, services, transactions and customers.
4. This guidance relates solely to how firms should fulfil their obligations under the AML/CTF law and
regulations. It is important that customers understand that production of the required evidence of
identity does not automatically qualify them for access to the product or service they may be seeking;
firms bring to bear other, commercial considerations in deciding whether particular customers should
be taken on.
• trying to turn money raised through criminal activity into ‘clean’ money (that is, classic
money laundering);
• handling the benefit of acquisitive crimes such as theft, fraud and tax evasion;
• handling stolen goods;
• being directly involved with any criminal or terrorist property, or entering into arrangements
to facilitate the laundering of criminal or terrorist property; and
• criminals investing the proceeds of their crimes in the whole range of financial products.
10
6. The techniques used by money launderers constantly evolve to match the source and amount of funds
to be laundered, and the legislative/regulatory/law enforcement environment of the market in which
the money launderer wishes to operate. More information on the ways in which particular financial
services businesses, products, relationships and technologies may be used by money launderers and
terrorist financiers, along with some case study examples, is at www.jmlsg.org.uk/other-helpful-
material/case-studies.
7. There are three broad groups of offences related to money laundering that firms need to avoid
committing. These are:
8. It is also a separate offence under the ML Regulations not to establish adequate and appropriate
policies and procedures in place to forestall and prevent money laundering (regardless of whether or
not money laundering actually takes place).
9. There can be considerable similarities between the movement of terrorist property and the laundering
of criminal property: some terrorist groups are known to have well established links with organised
criminal activity. However, there are two major differences between terrorist property and criminal
property more generally:
• often only small amounts are required to commit individual terrorist acts, thus increasing the
difficulty of tracking the terrorist property;
• terrorists can be funded from legitimately obtained income, and it is extremely difficult to
identify the stage at which legitimate funds become terrorist property.
10. Terrorist organisations can, however, require quite significant funding and property to resource their
infrastructure. They often control property and funds from a variety of sources and employ modern
techniques to manage these funds, and to move them between jurisdictions.
11. In combating terrorist financing, the obligation on firms is to report any suspicious activity to the
authorities. This supports the aims of the law enforcement agencies in relation to the financing of
terrorism, by allowing the seizure and/or freezing of property where there are grounds for suspecting
that such property could be used to finance terrorist activity, and depriving terrorists of this property
as and when links are established between the property and terrorists or terrorist activity.
12. Money laundering and terrorist financing risks are closely related to the risks of other financial crime,
such as fraud. Fraud and market abuse, as separate offences, are not dealt with in this guidance.
The guidance does, however, apply to dealing with any proceeds of crime that arise from these
activities. Guidance on fraud-related matters can be found in the Fraud Manager’s Reference Guide,
published by the British Bankers’ Association (copies available at www.bba.org.uk), and Identity
Fraud – The UK Manual, published jointly by the Association of Payment and Clearing Services,
CIFAS – the UK’s Fraud Prevention Service, and the Finance & Leasing Association (copies
available at any of www.apacs.org.uk, www.cifas.org.uk, or www.fla.org.uk)..
11
13. Firms increasingly look at fraud and money laundering as part of an overall strategy to tackle
financial crime, and there are many similarities – as well as differences - between procedures to
tackle the two. When considering money laundering and terrorist financing issues, firms should
consider their procedures against fraud and market abuse and how these might reinforce each other.
Where responsibilities are given to different departments, there will need to be strong links between
those in the firm responsible for managing and reporting on these various areas of risk. When
measures involving the public are taken specifically as an anti-fraud measure, the distinction should
be made clear.
14. The guidance prepared by JMLSG is addressed to firms in the industry sectors represented by its
member bodies (listed at paragraph 31 below), and to those firms regulated by the FCA. All such
firms – which, for the avoidance of doubt, include those which are members of JMLSG trade
associations but not regulated by the FCA - should have regard to the contents of the guidance.
15. Financial services firms which are neither members of JMLSG trade associations nor regulated by
the FCA may choose to have regard to this guidance as industry good practice. Firms which are
outside the financial sector, but subject to the ML Regulations, particularly where no specific
guidance is issued to them by a body representing their industry, may also find this guidance helpful.
16. The guidance will be of direct relevance to senior management, nominated officers and MLROs in
the financial services industry. The purpose is to give guidance to those who set the firm’s risk
management policies and its procedures for preventing money laundering and terrorist financing.
Although the guidance will be relevant to operational areas, it is expected that these areas will be
guided by the firm’s own, often more detailed and more specific, internal arrangements, tailored by
senior management, nominated officers and MLROs to reflect the risk profile of the firm.
17. The guidance gives firms a degree of discretion in how they comply with AML/CTF legislation and
regulation, and on the procedures that they put in place for this purpose.
18. It is not intended that the guidance be applied unthinkingly, as a checklist of steps to take. Firms
should encourage their staff to ‘think risk’ as they carry out their duties within the legal and
regulatory framework governing AML/CTF. The FCA has made clear its expectation that FCA-
regulated firms address their management of risk in a thoughtful and considered way, and establish
and maintain systems and procedures that are appropriate, and proportionate to the risks identified.
This guidance assists firms to do this.
19. When provisions of the statutory requirements and of FCA’s regulatory requirements are directly
described in the text of the guidance, it uses the term must, indicating that these provisions are
mandatory. In other cases, the guidance uses the term should to indicate ways in which the statutory
and regulatory requirements may be satisfied, but allowing for alternative means of meeting the
requirements. References to ‘must’ and ‘should’ in the text should therefore be construed
accordingly.
20. Many defined terms and abbreviations are used in the guidance; these are highlighted, and their
meanings are explained in the Glossary.
21. This guidance emphasises the responsibility of senior management to manage the firm’s money
laundering and terrorist financing risks, and how this should be carried out on a risk-based approach.
12
It sets out a standard approach to the identification and verification of customers, separating out basic
identity from other aspects of customer due diligence measures, as well as giving guidance on the
obligation to monitor customer activity.
22. The guidance incorporates a range of reference material which it is hoped that senior management,
nominated officers and MLROs will find helpful in appreciating the overall context of, and
obligations within, the UK AML/CTF framework.
23. The guidance provided by the JMLSG is in a number of parts. The main text in Part I contains
generic guidance that applies across the UK financial sector. Part II provides guidance for a number
of specific industry sectors, supplementing the generic guidance contained in Part I. [Part III provides
additional guidance on a number of specific areas of activity.]
24. Part I comprises eight separate chapters, followed by a Glossary of terms and abbreviations, and a
number of appendices setting out other generally applicable material. Some of the individual
chapters are followed by annexes specific to the material covered in that chapter.
• the importance of senior management taking responsibility for effectively managing the
money laundering and terrorist financing risks faced by the firm’s businesses (Chapter 1);
• appropriate controls in the context of financial crime (Chapter 2);
• the role and responsibilities of the nominated officer and the MLRO (Chapter 3);
• adopting a risk-based approach to the application of CDD measures (Chapter 4);
• helping a firm have confidence that it has properly carried out its CDD obligations, including
monitoring customer transactions and activity (Chapter 5);
• the identification and reporting of suspicious activity (Chapter 6);
• staff awareness, training and alertness (Chapter 7);
• record keeping (Chapter 8).
26. Parts II and III of the guidance comprises the sector specific additional material, which has been
principally prepared by practitioners in the relevant sectors. The sectoral guidance is incomplete on
its own. It must be read in conjunction with the main guidance set out in Part I of the guidance.
27. POCA requires a court to take account of industry guidance that has been approved by a Treasury
minister when considering whether a person within the regulated sector has committed the offence
of failing to report where that person knows, suspects, or has reasonable grounds for knowing or
suspecting, that another person is engaged in money laundering. Similarly, the Terrorism Act
requires a court to take account of such approved industry guidance when considering whether a
person within the financial sector has failed to report under that Act. The ML Regulations also
provide that a court must decide whether similar industry guidance was followed in determining
whether a person or institution within the regulated sector has complied with any of the requirements
of the ML Regulations.
28. The FCA Handbook also confirms that the FCA will have regard to whether a firm has followed
relevant provisions of this guidance when:
29. The guidance therefore provides a sound basis for firms to meet their legislative and regulatory
obligations when tailored by firms to their particular business risk profile. Departures from this
guidance, and the rationale for so doing, should be documented, and firms will have to stand prepared
to justify departures, for example to the FCA.
CHAPTER 1
Introduction
SYSC 3.1.1 R, 1.1 Being used for money laundering or terrorist financing involves firms
3.2.6 R, in reputational, legal and regulatory risks. Senior management has a
6.1.1 R responsibility to ensure that the firm’s policies, controls and procedures
6.3.1 R are appropriately designed and implemented, and are effectively
operated to reduce the risk of the firm being used in connection with
money laundering or terrorist financing.
Regulation 18 1.2 The ML Regulations require firms to take appropriate steps to identify
and assess the risks of money laundering and terrorist financing to which
their business is subject, taking into account:
In considering what steps are appropriate, firms must take into account
the size and nature of its business.
Regulation 16(2) 1.3 The assessment should be informed by relevant findings in the National
Risk Assessment.
1.5 Under a risk-based approach, firms start from the premise that most
customers are not money launderers or terrorist financiers. However,
firms must have systems in place to highlight those customers who, on
criteria established by the firm, may indicate that they present a higher
risk of this.
Regulation 3(1) 1.6 Senior management must be fully engaged in the decision-making
19(2)(b) processes, and must take ownership of the risk-based approach, since
they will be held accountable if the approach is inadequate. Senior
management approval is specifically required for the firm’s policies,
controls and procedures for mitigating and managing effectively the
risks of money laundering and terrorist financing identified in the firm’s
risk assessment. Such policies, controls and procedures must be kept up-
to-date, and should reflect changes in the money laundering and/or
terrorist financing risks faced by a firm.
Regulation 21(1)(a) 1.7 Where appropriate with regard to the size and nature of its business, a
firm must appoint a member of its board of directors (or equivalent
management body) or of its senior management as the officer
responsible for the firm’s compliance with the ML Regulations.
17
1.8 Senior management must be aware of the level of money laundering risk
the firm is exposed to and take a view whether the firm is equipped to
mitigate that risk effectively; this implies that decisions on entering or
maintaining high-risk business relationships must be escalated to senior
management. That said, provided the assessment of the risks has been
approached in a considered way, the selection of risk mitigation
procedures is appropriate, all the relevant decisions are properly
recorded, and the firm’s policies, controls and procedures are followed
and applied effectively, the risk of censure by the regulator should be
minimised.
1.13 The extent of ML/TF risk associated with individual countries may also
be assessed through other sources, for example, HM Treasury
Sanctions1, FATF high-risk and non-cooperative jurisdictions2, FATF
1
http://hmt-sanctions.s3.amazonaws.com/sanctionsconlist.pdf
2
http://www.fatf-gafi.org/topics/high-riskandnon-cooperativejurisdictions/
18
1.15 The United Nations and the EU have sanctions in place to deny a range
of named individuals and organisations, as well as nationals from certain
countries, access to the financial services sector. In the UK, HM
Treasury (through the Office for Financial Sanctions Implementation)
issues sanctions notices whenever a new name is added to the list, or
when any details are amended.
3
http://cpi.transparency.org/cpi2013/results/
4
http://www.hrdreport.fco.gov.uk/
5
http://www.ukti.gov.uk/export/howwehelp/oberseasbusinessrisk/countries.html
6
http://www.state.gov/eb/rls/othr/ics/2013/index.htm
19
➢ FCA Handbook.
1.20 In view of the nature of the risks associated with financial crime,
multiple UK bodies share responsibility for combating money
laundering and terrorist financing. Responsibilities are set out in
Appendix I. In its capacities as a supervisory authority and a law
enforcement authority HMRC may use the UK anti-money laundering
regime to gather information for tax purposes.
Regulation 8(1),(2) 1.21 The ML Regulations apply to a range of specified firms undertaking
business in the UK. POCA and the Terrorism Act consolidated, updated
and reformed the scope of UK AML/CTF legislation to apply it to any
dealings in criminal or terrorist property. The UK financial sanctions
regime imposes additional obligations on firms. Thus, in considering
their statutory obligations, firms need to think in terms of involvement
with any crime or terrorist activity.
Serious and 1.22 Firms should be aware of the Home Office’s Serious and Organised
Organised Crime Crime Strategy, issued in October 20137.
Strategy, October
2013
The strategy uses the framework developed for counter-terrorist work
and has four components:
Action Plan for anti- 1.23 In order to deliver these objectives successfully, the government
money laundering and believes action in this area must be underpinned by four priority areas,
counter-terrorist
finance, April 2016 set out in the Action Plan for anti-money laundering and counter-
terrorist finance, published in April 20168:
7
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/248645/Serious_and_Organised_C
rime_Strategy.pdf
8
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/517992/6-2118-
Action_Plan_for_Anti-Money_Laundering__web_.pdf
20
1.24 HM Treasury and the Home Office jointly published the first UK
national risk assessment of money laundering and terrorist financing in
October 2015.9
Regulation 19 1.25 Senior management of any enterprise is responsible for managing its
POCA ss327-330 business effectively. Certain obligations are placed on all firms subject
Terrorism Act ss18, to the ML Regulations, POCA and the Terrorism Act and under the UK
21A financial sanctions regimes - fulfilling these responsibilities falls to
senior management as a whole. These obligations are summarised in
Appendix II.
SYSC 1.26 For FCA-regulated firms the specific responsibilities, and the FCA’s
obligations and expectations, of senior management are set out in FSMA
and the FCA Handbook. These responsibilities and obligations are
outlined in Appendix II.
9
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/468210/UK_NRA_October_2015_
final_web.pdf
21
1.27 Following the completion of thematic and other reviews, the FCA may
clarify their expectations of firms in the relevant areas; firms should be
aware of these expectations. The FCA has also issued a publication
“Financial Crime: A Guide for Firms”, which provides practical
assistance and information for firms on FCA’s expectations of actions
they can take to counter the risk that they might be used to further
financial crime. This guide includes consolidated examples of the good
and poor practice published with FCA thematic reviews.
Relationship between money laundering, terrorist financing and other financial crime
Regulations 19(2), 1.28 From a practical perspective, firms must consider how best they should
21(1)(a) assess and manage their overall exposure to financial crime. This does
not mean that fraud, market abuse, money laundering and terrorism
financing prevention, and financial sanctions obligations, must be
addressed by a single function within a firm; there will, however, need
to be close liaison between those responsible for each activity. This
guidance relates only to the prevention of money laundering and
terrorism financing.
Regulations 19 and 1.29 The ML Regulations place a general obligation on firms within their
86 scope to establish adequate and appropriate policies, controls and
procedures to prevent money laundering and terrorist financing. Failure
to comply with this obligation risks a prison term of up to two years
and/or a fine. Depending on the nature and extent of any such failure, it
may also attract regulatory sanction.
Regulation 21(1)(a) 1.30 Where appropriate with regard to the size and nature of its business, a
firm must appoint a member of its board of directors (or equivalent
management body) or of its senior management as the officer
responsible for the firm’s compliance with the ML Regulations.
POCA ss 327-330 1.32 The offences of money laundering under POCA, and the obligation to
Terrorism Act s report knowledge or suspicion of possible money laundering, affect
21A members of staff of firms. The similar offences and obligations under
Regulation 24 the Terrorism Act also affect members of staff. However, firms have
an obligation under the ML Regulations to take appropriate measures to
ensure that their employees and agents are made aware of the law
22
SYSC 4.5.4 R 1.33 Under the SMR, deposit takers, insurers and investment banks are
SYSC 4.5.7 R required to maintain a Management Responsibilities Map, which
SYSC 4.5.13 G allocates prescribed responsibilities to individual SMF Managers. The
management responsibility map of a small and non-complex firm is
likely to be simple and short, possibly no more than a single sheet of
paper.
SYSC 4.7.5 R 1.34 One prescribed responsibility - for the firm’s policies and procedures
SYSC 4.7.7 (4) R for countering the risk that the firm might be used to further financial
crime - must be allocated to an SMF Manager. The firm may allocate
this responsibility to the MLRO, but does not have to. If it is allocated
to another SMF Manager, this prescribed responsibility includes
responsibility for supervision of the MLRO.
1.35 A number of the financial sector firms regulated by the FCA are so-
called ‘common platform’ firms, because they are subject both to MiFID
and to the Capital Requirements Directive. The FCA Rules relating to
systems and controls to prevent firms being used in connection with the
commission of financial crime are in two parts: those which apply to
most firms, set out in SYSC 6.1.1, and those which apply to non-
common platform firms, set out in SYSC 3.2.6. To avoid confusing the
vast majority of firms by including a multitude of references to SYSC
3.2.6, this guidance is constructed in terms of following the
requirements of SYSC 6.1.1; non common platform firms should follow
this guidance, interpreting it as referring as necessary to the relevant
parts of SYSC 3.2.6.
FSMA, s 1B (5) 1.36 FSMA makes the prevention of financial crime integral to the discharge
FSMA, s 1D (2) (b) of the FCA’s functions and fulfilment of its objectives. This means that
SYSC 2.1.1 R, the FCA is concerned that the firms it regulates and their senior
2.1.3 R, 6.1.1 R, 6.3 management are aware of the risk of their businesses being used in
connection with the commission of financial crime, and take appropriate
measures to prevent financial crime, facilitate its detection and monitor
its incidence. Senior management has operational responsibility for
ensuring that the firm has appropriate systems and controls in place to
combat financial crime.
SYSC 6.3.8 R 1.37 In FCA-regulated firms (but see paragraph 1.49 for general insurance
SYSC 4.7.7(4) R firms and mortgage intermediaries), a director or senior manager must
be allocated overall responsibility for the establishment and
maintenance of the firm’s anti-money laundering systems and controls.
SYSC 6.3.9 R 1.38 In FCA-regulated firms (but see paragraph 1.49 for general insurance
firms and mortgage intermediaries), an individual must be allocated
23
1.40 Although the FCA Rule referred to in paragraph 1.37 requires overall
responsibility for AML/CTF systems and controls to be allocated to a
single individual, in practice this may often be difficult to achieve,
especially in larger firms. As a practical matter, therefore, firms may
allocate this responsibility among a number of individuals, provided the
division of responsibilities is clear.
1.41 The relationship between the MLRO and the director/senior manager
allocated overall responsibility for the establishment and maintenance
of the firm’s AML/CTF systems (where they are not the same person)
is one of the keys to an effective AML/CTF regime. It is important that
this relationship is clearly defined and documented, so that each knows
the extent of his, and the other’s, role and day to day responsibilities.
Regulation 21(1)(a) 1.42 Where the firm is required to appoint a board member or member of its
senior management as the officer responsible for the firm’s compliance
with the ML Regulations, it is important that this individual, the MLRO
and the director/senior manager allocated overall responsibility for the
establishment and maintenance of the firm’s AML/CTF systems (where
they are not the same person) are all clear as to the responsibilities of
each.
SYSC 6.3.7(2) G 1.43 At least once in each calendar year, an FCA-regulated firm should
commission a report from its MLRO (see Chapter 3) on the operation
and effectiveness of the firm’s systems and controls to combat money
laundering. In practice, senior management should determine the depth
and frequency of information they feel is necessary to discharge their
responsibilities. The MLRO may also wish to report to senior
management more frequently than annually, as circumstances dictate.
1.44 When senior management receives reports from the firm’s MLRO it
should consider them and take any necessary action to remedy any
deficiencies identified in a timely manner.
SUP 16.23.4 R 1.45 All firms, other than credit unions and certain firms with limited
SUP 16.23.2 R permissions and total revenues of less than £5 million, must submit an
Annual Financial Crime Report to the FCA in respect of their financial
year ending on its latest accounting reference date (see paragraphs
3.46-3.49).
SYSC 3.2.6 R, 1.46 Those FCA-regulated firms required to appoint an MLRO are
6.3.9 (2) R specifically required to provide the MLRO with adequate resources. All
24
firms, whether or not regulated by the FCA for AML purposes, must
apply adequate resources to counter the risk that they may be used for
the purposes of financial crime. This includes establishing, and
monitoring the effectiveness of, systems and controls to prevent ML/TF.
The level of resource should reflect the size, complexity and
geographical spread of the firm’s customer and product base.
1.47 The role, standing and competence of the MLRO, and the way the
internal processes for reporting suspicions are designed and
implemented, impact directly on the effectiveness of a firm’s money
laundering/terrorist financing prevention arrangements.
SYSC 1.1A.1, 1.49 General insurance firms and mortgage intermediaries are regulated by
3.2.6 R the FCA, but are not covered by the ML Regulations, or by the
provisions of SYSC specifically relating to money laundering. They
are, therefore, under no obligation to appoint an MLRO. They are,
however, subject to the general requirements of SYSC, and so have an
obligation to have appropriate risk management systems and controls in
place, including controls to counter the risk that the firm may be used to
further financial crime. Guidance for general insurance firms is given in
Part II, sector 7A: General insurers.
POCA ss 327-329, 1.50 These firms are also subject to the provisions of POCA and the
335, 338 Terrorism Act which establish the primary offences. These offences are
Terrorism Act s 21 not committed if a person’s knowledge or suspicion of ML/TF is
reported to the NCA, and (if relevant) appropriate consent for the
transaction or activity obtained. Certain of these firms may also be
subject to the provisions of Schedule 7 to the Counter-Terrorism Act
2008 – see Part III, section 5, especially paragraph 5.11.
POCA s 332 1.51 For administrative convenience, and to assist their staff fulfil their
Terrorism Act ss obligations under POCA or the Terrorism Act, general insurance firms
19, 21 and mortgage intermediaries may choose to appoint a nominated officer.
Where they do so, he will be subject to the reporting obligations in s 332
of POCA and s 19 of the Terrorism Act (see Chapter 6).
1.52 E-money issuers and payment institutions are regulated under the
Electronic Money Regulations and the Payment Services Regulations,
rather than FSMA. This means that they are subject to the AML/CTF
provisions in legislation, but not to most of the FCA’s Handbook rules.
The FCA has issued guidance that sets out its expectations of e-money
issuers’ and payment institutions’ AML/CTF controls:
• http://www.fca.org.uk/static/documents/emoney-
approach.pdf for e-money issuers;
25
• http://www.fca.org.uk/your-
fca/documents/payment-services-approach for
payment institutions; and
• http://fshandbook.info/FS/html/FCA/FC for both.
Senior management should adopt a formal policy, and carry out a risk assessment, in relation to
financial crime prevention
SYSC 3.1.1 R, 1.53 As mentioned in paragraph 1.1 above, senior management in FCA-
3.2.6 R regulated firms has a responsibility to ensure that the firms’ policies,
6.1.1 R controls and procedures are appropriately designed and implemented,
6.3.1 R and are effectively operated to manage the firm’s risks. This includes
Regulation 16(2)
taking appropriate steps to identify and assess the risks of money
laundering and terrorist financing to which its business is subject. This
assessment should take into account relevant findings in the UK national
risk assessment of money laundering and terrorist financing.
Regulation 18 1.54 A firm’s risk assessment must be documented, kept up-to-date and made
available to the FCA on request. The FCA may decide that a
documented risk assessment is not required in the case of a particular
firm, where the specific risks inherent in the sector in which the firm
operates are clear and understood.
SYSC 6.3.7 (3) G 1.55 For FCA-regulated firms (but see paragraph 1.49 for general insurance
firms and mortgage intermediaries, and 1.52 for e-money issuers and
payment institutions) SYSC 6.3.7 (3) G says that a firm should produce
“appropriate documentation of [its] risk management policies and risk
profile in relation to money laundering, including documentation of its
application of those policies”.
1.56 A statement of the firm’s AML/CTF policy and the controls and
procedures to implement it will clarify how the firm’s senior
management intends to discharge its responsibility for the prevention of
money laundering and terrorist financing. This will provide a
framework of direction to the firm and its staff, and will identify named
individuals and functions responsible for implementing particular
aspects of the policy. The policy will also set out how senior
management undertakes its assessment of the money laundering and
terrorist financing risks the firm faces, and how these risks are to be
managed. Even in a small firm, a summary of its high-level AML/CTF
policy will focus the minds of staff on the need to be constantly aware
of such risks, and how they are to be managed.
1.58 The policy statement might include, but not be limited to, such matters
as:
26
➢ Guiding principles:
o an unequivocal statement of the culture and values to
be adopted and promulgated throughout the firm
towards the prevention of financial crime;
o a commitment to ensuring that customers’ identities
will be satisfactorily verified before the firm accepts
them;
o a commitment to the firm ‘knowing its customers’
appropriately - both at acceptance and throughout the
business relationship - through taking appropriate steps
to verify the customer’s identity and business, and his
reasons for seeking the particular business relationship
with the firm;
o a commitment to ensuring that staff are trained and
made aware of the law and their obligations under it,
and to establishing procedures to implement these
requirements; and
o recognition of the importance of staff promptly
reporting their suspicions internally.
1.59 It is important that the firm’s policies, controls and procedures are
communicated widely throughout the firm, to increase the effectiveness
of their implementation.
Regulation 20(1) 1.61 A firm that is a parent undertaking must ensure that its policies, controls
and procedures apply to all subsidiary undertakings and non-UK
branches. Such a firm must establish and maintain throughout its group,
policies, controls and procedures for data protection and sharing, with
other members of the group, information for the purposes of preventing
27
Regulation 20(3),(4) 1.62 If any subsidiary undertaking or branch is established in a third country
which does not impose AML/CTF requirements as strict as those of the
UK, the firm must ensure that such subsidiary undertakings or branches
apply measures equivalent to those required by the ML Regulations.
Where the law of a non-EEA state does not permit the application of
such equivalent measures, the firm must inform the FCA accordingly,
and take additional measures to handle the risk of money laundering and
terrorist financing effectively.
Regulation 19(6) 1.63 Firms must communicate their policies, controls and procedures
established to prevent activities related to money laundering and
terrorist financing to branches and subsidiary undertakings located
outside the UK.
1.65 Where a firm has a listing in, or activities in, or linked to, certain
overseas jurisdictions, whether through a branch, subsidiary
undertaking, associated company or correspondent relationship, or
where a firm deals in another jurisdiction’s currency, there is a risk that
the application of that jurisdiction’s AML/CTF and financial sanctions
regimes may apply to the non-domestic activities of the firm. Senior
management should take advice on the extent to which the firm’s
activities may be affected in this way.
28
CHAPTER 2
INTERNAL CONTROLS
➢ Relevant law/regulation
▪ Regulations 19 - 24
▪ SYSC Chapters 2, 3, 3A, 6
➢ Core obligations
▪ Firms must establish and maintain adequate and appropriate policies and procedures to
forestall and prevent operations relating to money laundering
▪ Appropriate controls should take account of the risks faced by the firm’s business
➢ Actions required, to be kept under regular review
▪ Establish and maintain adequate and appropriate policies and procedures to forestall and
prevent money laundering
▪ Introduce appropriate controls to take account of the risks faced by the firm’s business
▪ Maintain appropriate control and oversight over outsourced activities
General
Regulation 19(1)(a) 2.1 Firms are required to establish and maintain policies, controls and
SYSC 3, 6 procedures to mitigate and manage effectively the risks of money
laundering and terrorist financing identified in its risk assessment.
FCA-regulated firms have similar, regulatory obligations under SYSC.
2.2 This chapter provides guidance on the internal controls that will help
firms meet their obligations in respect of the prevention of money
laundering and terrorist financing. There are general obligations on
firms to maintain appropriate records and controls more widely in
relation to their business; this guidance is not intended to replace or
interpret these wider obligations.
Regulation 19(1)(b), 2.3 A firm’s policies, controls and procedures must be proportionate with
(c), (2) regard to the size and nature of its business, and must be approved by
its senior management and kept under regular review. A firm must
maintain a written record of its policies, controls and procedures.
Regulations 19, 2.4 There are specific requirements under the ML Regulations for the firm
21(1) to establish adequate and appropriate policies, controls and procedures
relating to: internal controls, including where appropriate employee
screening and the appointment of an internal audit function; risk
management practices (see Chapter 4); customer due diligence and
ongoing monitoring (see Chapter 5); record keeping (see Chapter 8);
reporting of suspicions (see Chapter 6); the monitoring and management
of the effectiveness of, and compliance with, such policies and
procedures, (see paragraphs 3.33-3.36); and the internal communication
of such policies and procedures (which includes staff awareness and
training) (see Chapter 7).
29
Regulation 21(1) 2.5 Where appropriate with regard to the size and nature of its business, a
firm must
Regulation 21(3), 2.6 An individual in the firm must be appointed as a nominated officer. ,
(4) whose identity, as well as any subsequent appointment to this position,
must be notified to their supervisor. The firm must also notify their
supervisor of the name of the member of its board (or equivalent
management body) or of its senior management, and of any subsequent
appointment to this position, as the officer responsible for the firm’s
compliance with the ML Regulations. Such notifications must be made
within 14 days of the appointment.
Regulation 21(2)(a) 2.7 Screening of relevant employees (for the purposes referred to in
paragraph 2.5 above) means an assessment of:
Regulation 19(4) 2.9 A firm’s policies, controls and procedures must include policies,
controls and procedures:
Regulation 2.10 Firms must establish and maintain systems which enable them to
21(8),(9) respond fully and rapidly to enquiries from financial investigators
accredited under s3 of POCA, persons acting on behalf of the Scottish
Ministers in their capacity as an enforcement authority under the Act or
constables, relating to:
SYSC 3.1.1 R 2.12 FCA-regulated firms are required to have systems and controls
SYSC 3.1.2 G appropriate to their business. Such systems and controls will therefore
SYSC 6.1.1 R vary depending on the nature and characteristics of the firm, although
SYSC 6.1.2R they must include measures ‘for countering the risk that the firm might
be used to further financial crime’. This requires a firm to make use of
its assessment of the financial crime risks to which it is subject
(described more fully in paragraphs 1.2-1.8). Financial crime includes
the handling of the proceeds of crime – that is, money laundering or
terrorist financing. The nature and extent of systems and controls will
vary by firm and depend on a variety of factors, including:
SYSC 6.3.1 R 2.13 An FCA-regulated firm must ensure that these systems and controls:
Regulation 19
➢ enable it to identity, assess, monitor and manage money
laundering risk; and
➢ are comprehensive and proportionate to the nature, scale and
complexity of its activities.
SYSC 6.3.7 G 2.14 An FCA-regulated firm’s systems and controls (but see paragraph 1.49
SYSC 6.3.8 R for general insurance firms and mortgage intermediaries) are required
SYSC 6.3.9 R to cover senior management accountability, including allocation to a
director or senior manager of overall responsibility for the
establishment and maintenance of effective AML systems and controls
and the appointment of a person with adequate seniority and experience
as MLRO. The systems and controls should also cover:
2.15 It is important that the firm’s policies, controls and procedures are
communicated widely throughout the firm, to increase the effectiveness
of their implementation.
2.16 Many firms outsource some of their systems and controls and/or
processing to elsewhere within the UK and to other jurisdictions, and/or
to other group companies. Involving other entities in the operation of a
firm’s systems brings an additional dimension to the risks that the firm
faces, and this risk must be actively managed. Firms must obtain
assurance that outsourcing providers meet the standards or requirements
set out in this Guidance.
Regulation 39(7)(8) 2.17 Nothing in the ML Regulations prevents a firm applying CDD measures
by means of an agent or an outsourcing service provider (but see
32
SYSC 3.2.4 G 2.18 FCA-regulated firms cannot contract out of their regulatory
SYSC 13.9 responsibilities, and therefore remain responsible for systems and
controls in relation to the activities outsourced, whether within the UK
or to another jurisdiction. In all instances of outsourcing it is the
delegating firm that bears the ultimate responsibility for the duties
undertaken in its name. This will include the requirement to ensure that
the provider of the outsourced services has in place satisfactory
AML/CTF systems, controls and procedures, and that those policies and
procedures are kept up to date to reflect changes in UK requirements.
CHAPTER 3
➢ Relevant law/regulation
▪ Regulation 21
▪ COCON
▪ PRIN, Principle 11
▪ APER, Chapters 2 and 4
▪ APER, Principles 4 and 7
▪ SYSC, Chapter 6
▪ SUP, Chapter 10
➢ Core obligations
▪ Nominated officer to be appointed, who must receive and review internal disclosures
▪ Nominated officer is responsible for making external reports
▪ FCA approval required for MLRO (who may also be the nominated officer), as it is a
designated Senior Management Function (SMF 17)
▪ Threshold competence required
▪ MLRO should be able to act on his own authority
▪ Adequate resources must be devoted to AML/CTF
▪ MLRO is responsible for oversight of the firm’s AML systems and controls
➢ Actions required, to be kept under regular review
▪ Appoint a nominated officer
▪ Senior management to ensure the MLRO has:
o active support of senior management
o adequate resources
o independence of action
o access to information
o an obligation to produce an annual report
▪ MLRO to ensure he has continuing competence
▪ MLRO to monitor the effectiveness of systems and controls
Legal obligations
Regulation 21 (3) 3.1 All firms (other than sole traders) carrying out relevant business under
POCA ss337, 338 the ML Regulations, whether or not the firm is regulated by the FCA,
Terrorism Act ss21A,
21B must appoint a nominated officer, who is responsible for receiving
disclosures under Part 7 of POCA and Part 3 of the Terrorism Act,
deciding whether these should be reported to the NCA, and, if
appropriate, making such external reports.
3.2 A sole trader with no employees who knows or suspects, or where there
are reasonable grounds to know or suspect, that a customer of his, or
the person on whose behalf the customer is acting, is or has been
engaged in, or attempting, money laundering or terrorist financing,
must make a report promptly to the NCA.
Regulation 21(1)(a) 3.3 Where appropriate with regard to the size and nature of its business, a
firm must appoint a member of its board of directors (or equivalent
34
Regulatory obligations
SYSC 6.3.9 R 3.4 In the case of FCA-regulated firms, other than sole traders with no
SUP 10C.4.3 R employees and those firms covered by paragraph 3.2, there is a
requirement to appoint an MLRO. The responsibilities of the MLRO
under SYSC are different from those of the nominated officer under
the ML Regulations, POCA or the Terrorism Act, but in many FCA-
regulated firms it is likely that the MLRO and the nominated officer
will be one and the same person. When discharging different legal and
regulatory functions, it is important that the individual is aware which
role he is acting in.
SYSC 6.3.9(1) R 3.5 The MLRO is responsible for oversight of the firm’s compliance with
the FCA’s Rules on systems and controls against money laundering.
Regulation 21(8) 3.6 An MLRO should be able to monitor the day-to-day operation of the
firm’s AML/CTF policies, and respond fully and rapidly to enquiries
for information made by the FCA or law enforcement.
PRIN 2.1.1 3.7 Under FCA Principle 11 of its Principles for Businesses, an FCA-
APER 2.1A.3 regulated firm must deal with its regulators in an open and cooperative
way, and must disclose to the FCA appropriately anything relating to
the firm of which the FCA would reasonably expect notice. The MLRO
is personally required to deal with the FCA similarly, under Principle 4
of its Statement of Principles.
SYSC 1.1A.1 3.8 As noted in paragraph 1.49, general insurance firms and mortgage
SYSC 3.2.6R
intermediaries are not covered by the ML Regulations, s 330 of POCA,
s 21A of the Terrorism Act, or the provisions of SYSC relating
specifically to money laundering. They are, however, regulated by the
FCA and may be subject to the disclosure obligations in POCA and the
Terrorism Act. They therefore are under no obligation to appoint a
nominated officer or an MLRO, or to allocate to a director or senior
manager the responsibility for the establishment and maintenance of
effective anti-money laundering systems and controls. They are,
however, subject to the general requirements of SYSC, and so have an
obligation to have appropriate risk management systems and controls in
place, including controls to counter the risk that the firm might be used
to further financial crime. They are also subject to ss 337 and 338 of
POCA and s 19 of the Terrorism Act.
POCA s 332 3.9 For administrative convenience, and to assist their staff fulfil their
Terrorism Act obligations under POCA or the Terrorism Act, firms who have no legal
s 19 obligation to do so, may nevertheless choose to appoint a nominated
officer. Where they do so, he will be subject to the reporting obligations
in s 332 of POCA and s 19 of the Terrorism Act.
SUP 10.7.13 R 3.10 The role of MLRO has been designated by the FCA as a
SYSC 6.3.10 G controlled/Senior Management function under s 59 of FSMA. As a
FSMA s59
consequence, any person invited to perform that function must be
individually approved by the FCA, on the application of the firm, before
performing the function. The FCA expect that the MLRO will be based
in the UK.
APER 4.7.9 E 3.11 Failure by the MLRO to discharge the responsibilities imposed on him
APER, Principle 7 in SYSC 6.3.9 R is conduct that does not comply with Statement of
Principle 7 for Approved Persons, namely that ‘an approved person
performing an accountable higher management function must take
reasonable steps to ensure that the business of the firm for which they
are responsible in their accountable function capacity complies with the
relevant requirements and standards of the regulatory system’.
SYSC 6.3.9 R 3.12 In FCA-regulated firms, the MLRO is responsible for the oversight of
SYSC 6.3.10 G all aspects of the firm’s AML/CTF activities and is the focal point for
all activity within the firm relating to anti-money laundering. The
individual appointed as MLRO must have a sufficient level of seniority
within the firm (see paragraph 1.38). As the MLRO is an Approved
Person/SMF Manager, his job description should clearly set out the
extent of the responsibilities given to him, and his objectives. The
MLRO will need to be involved in establishing the basis on which a
risk-based approach to the prevention of money laundering/terrorist
financing is put into practice.
SYSC 4.4.7(4) 3.13 Along with the SMF Manager appointed by the Board (see paragraph
SYSC 6.3.9(1) R 1.37), an MLRO will support and co-ordinate senior management focus
SYSC 6.3.10 G
on managing the money laundering/terrorist financing risk in individual
business areas. He will also help ensure that the firm’s wider
responsibility for forestalling and preventing money laundering/terrorist
financing is addressed centrally, allowing a firm-wide view to be taken
of the need for monitoring and accountability.
3.14 As noted in paragraph 1.41, the relationship between the MLRO and the
director(s)/senior manager(s) allocated overall responsibility for the
establishment and maintenance of the firm’s AML/CTF systems is one
of the keys to an effective AML/CTF regime. It is important that this
relationship is clearly defined and documented, so that each knows the
extent of his, and the other’s, role and day to day responsibilities.
Regulation 21(1)(a) 3.15 Where the firm is required to appoint a board member or member of its
senior management as the officer responsible for the firm’s compliance
with the ML Regulations, it is important that this individual, the MLRO
and the director(s)/senior manager(s) allocated overall responsibility for
the establishment and maintenance of the firm’s AML/CTF systems
(see paragraph 3.14) are all clear as to the responsibilities of each.
SYSC 6.3.9(2)R 3.16 The MLRO must have the authority to act independently in carrying out
his responsibilities. The MLRO must be free to have direct access to
the FCA and (where he is the nominated officer) appropriate law
enforcement agencies, including the NCA, in order that any suspicious
activity may be reported to the right quarter as soon as is practicable.
36
He must be free to liaise with the NCA, on his own authority, on any
question of whether to proceed with a transaction in the circumstances.
SYSC 6.3.9 (2)R 3.17 Senior management of the firm must ensure that the MLRO has
sufficient resources available to him, including appropriate staff and
technology. This should include arrangements to apply in his
temporary absence.
3.20 Where AML/CTF tasks are delegated by a firm’s MLRO, the FCA will
expect the MLRO to take ultimate managerial responsibility.
Regulation 19(4)(d) 3.21 A firm must require that anyone in the firm to whom information or
POCA s 330 other matter comes in the course of business as a result of which they
know or suspect, or have reasonable grounds for knowing or suspecting,
that a person is engaged in money laundering or terrorist financing
complies with Part 7 of POCA or Part 3 of the Terrorism Act (as the
case may be). This includes staff having an obligation to make an
internal report to the nominated officer as soon as is reasonably
practicable after the information or other matter comes to them.
3.24 In most cases, before deciding to make a report, the nominated officer
is likely to need access to the firm’s relevant business information. A
37
firm should therefore take reasonable steps to give its nominated officer
access to such information. Relevant business information may
include details of:
➢ the financial circumstances of a customer or beneficial owner, or
any person on whose behalf the customer has been or is acting;
➢ the features of the transactions, including, where appropriate, the
jurisdiction in which the transaction took place, which the firm
entered into with or for the customer (or that person); and
➢ the underlying CDD information, and copies of the actual source
documentation in respect of the customer.
3.25 In addition, the nominated officer may wish:
➢ to consider the level of identity information held on the customer,
and any information on his personal circumstances that might be
available to the firm; and
➢ to review other transaction patterns and volumes through the
account or accounts in the same name, the length of the business
relationship and identification records held.
Regulation 19(4)(d) 3.26 If the nominated officer (or appointed alternate) concludes that the
Regulation 21(5) internal report does give rise to knowledge or suspicion of money
POCA s 331
laundering or terrorist financing, he must make a report to the NCA as
soon as is practicable after he makes this determination. The nominated
officer (or appointed alternate)’s decision in this regard must be his own,
and should not be subject to the direction or approval of other parties
within the firm.
3.28 An MLRO should ensure that the firm obtains, and makes appropriate
use of, any government or FATF findings concerning the approach to
money laundering prevention in particular countries or jurisdictions.
This is especially relevant where the approach has been found to be
materially deficient by FATF. Reports on the mutual evaluations
carried out by the FATF can be found at www.fatf-gafi.org. Other
sources of information include IMF and World Bank reports.
3.30 Countries may also be assessed using publicly available indices from,
for example, HM Treasury Sanctions10, FATF high-risk and non-
cooperative jurisdictions11, FATF Mutual Evaluation Reports,
Transparency International Corruption Perceptions Index12, FCO
Human Rights Report13, UK Trade and Investment overseas country
risk pages14 and quality of regulation15.
SYSC 6.3.3 R 3.33 A firm is required to carry out regular assessments of the adequacy of
SYSC 6.3.9(1) R its systems and controls to ensure that they manage the money
SYSC 6.3.10 G
laundering risk effectively. Oversight of the implementation of the
firm’s AML/CTF policies and procedures, including the operation of
the risk-based approach, is primarily the responsibility of the MLRO,
under delegation from senior management. He must therefore ensure
that appropriate monitoring processes and procedures across the firm
are established and maintained.
Regulation 21(1) 3.34 However, where appropriate with regard to the size and nature of its
business, a firm must establish an independent internal audit function
with responsibility for:
10
http://hmt-sanctions.s3.amazonaws.com/sanctionsconlist.pdf
11
http://www.fatf-gafi.org/topics/high-riskandnon-cooperativejurisdictions/
12
http://cpi.transparency.org/cpi2013/results/
13
http://www.hrdreport.fco.gov.uk/
14
http://www.ukti.gov.uk/export/howwehelp/oberseasbusinessrisk/countries.html
15
http://www.state.gov/eb/rls/othr/ics/2013/index.htm
39
Regulation 20 3.36 The effective operation of group systems and controls in non-EEA
branches and subsidiary undertakings will be influenced by the ability
of the group to ensure that these can be followed without local
restrictions, whether in law or otherwise (see paragraphs 1.60 - 1.62).
SYSC 6.3.7(2) G 3.37 At least annually the senior management of an FCA-regulated firm
should commission a report from its MLRO which assesses the
operation and effectiveness of the firm’s systems and controls in
relation to managing money laundering risk.
3.39 The firm’s senior management should consider the report, and take any
necessary action to remedy deficiencies identified in it, in a timely
manner.
3.40 The MLRO will wish to bring to the attention of senior management
areas where the operation of AML/CTF controls should be improved,
and proposals for making appropriate improvements. The progress of
any significant remedial programmes will also be reported to senior
management.
3.41 In addition, the MLRO should report on the outcome of any relevant
quality assurance or internal audit reviews of the firm’s AML/CTF
processes, as well as the outcome of any review of the firm’s risk
assessment procedures (see paragraph 4.82).
3.42 Firms will need to use their judgement as to how the MLRO should be
required to break down the figures of internal reports in his annual
report.
3.43 In December 2006, after discussion with the FCA, JMLSG issued a
template suggesting a suitable presentation and content framework for
40
3.45 In practice, subject to the approval of the FCA, larger groups might
prepare a single consolidated report covering all of its regulated firms.
The MLRO of each regulated firm within the group still has a duty to
report appropriately to the senior management of his regulated firm.
SUP 16.23.4 R 3.47 All firms, other than credit unions and certain firms with limited
SUP 16.23.2 R permissions and total revenues of less than £5 million, must submit an
Annual Financial Crime Report to the FCA annually in respect of their
financial year ending on its latest accounting reference date.
SUP 16.23.5 R 3.48 If a group includes more than one firm, a single Annual Financial
Crime Report may be submitted, and so satisfy the requirements of all
firms in the group, where all the firms included in the single report have
the same accounting reference date.
SUP 16.23.6 R 3.49 A firm must submit the Annual Financial Crime Report in the form
SUP 16.23.7 R specified in SUP 16 Annex 42AR, using the appropriate online systems
accessible from the FCA website (www.fca.org.uk). The Report must
be submitted within 60 business days of the firm’s accounting reference
date.
41
CHAPTER 4
RISK-BASED APPROACH
➢ Relevant law/regulation
▪ Regulations 18, 19(1), 27 (8), 28(13), 33, 35 and 36
▪ SYSC 3.1.2 G, 6.1.1 R, 6.3.1-3, 6.3.6
➢ Other authoritative pronouncements which endorse a risk-based approach
▪ FATF Recommendations 1 and 10
▪ Basel Paper – Sound management of risks related to money laundering and financing of
terrorism (updated February 2016)
▪ IAIS Guidance Paper 5
▪ IOSCO Principles paper
▪ ESA Risk Factor Guidelines
➢ Core obligations
▪ Identify and assess the risks of money laundering and terrorist financing to which its business
is subject
▪ Appropriate systems and controls must reflect the degree of risk associated with the business
and its customers
▪ Determine appropriate CDD measures on a risk-sensitive basis, depending on the type of
customer, business relationship, product or transaction
▪ Take into account situations and products which by their nature can present a higher risk of
money laundering or terrorist financing; these specifically include correspondent banking
relationships; and business relationships and occasional transactions with PEPs
➢ Actions required, to be kept under regular review
▪ Carry out a formal, and regular, money laundering/terrorist financing risk assessment,
including market changes, and changes in products, customers and the wider environment
▪ Ensure internal policies, controls and procedures, including staff awareness, adequately
reflect the risk assessment
▪ Ensure customer identification and acceptance procedures reflect the risk characteristics of
customers
▪ Ensure arrangements for monitoring systems and controls are robust, and reflect the risk
characteristics of customers
General
4.1 There are a number of discrete steps in assessing the most cost effective
and proportionate way to manage and mitigate the money laundering
and terrorist financing risks faced by the firm. These steps are to:
Risk Assessment
Regulation 4.3 The ML Regulations require firms to take appropriate steps to identify
18(1),(2),(3) and assess the risks of money laundering and terrorist financing to which
its business is subject, taking into account:
In considering what steps are appropriate, firms must take into account
the size and nature of its business. Firms that do not offer complex
products or services and that have limited or no international exposure
may not need an overly complex or sophisticated business risk
assessment.
Regulation 4.4 The risk assessments carried out must be documented, kept up to date
18(4),(5),(6) and made available to the FCA on request. The FCA may decide that a
documented risk assessment in the case of a particular firm is not
required where the specific risks inherent in the sector in which the firm
operates are clear and understood.
Regulation 16(2) 4.5 The UK government has published a national risk assessment of money
laundering and terrorist financing16 which provides a backdrop to a
firm’s assessment of the UK risks inherent in its business. Firms should
be aware of this publication, and should take account of relevant
findings that affect their individual business risk assessment.
4.6 Senior management of most firms, whatever business they are in,
manage the firm’s affairs with regard to the risks inherent in the business
environment and jurisdictions the firm operates in, those risks inherent
16
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/468210/UK_NRA_October_2015
_final_web.pdf
43
in its business and the effectiveness of the controls it has put in place to
manage these risks.
4.7 To assist the overall objective to prevent money laundering and terrorist
financing, a risk-based approach:
Regulation 4.8 A firm therefore uses its assessment of the risks inherent in its business
33(7),(8) to inform its risk-based approach to the identification and verification
Regulation of individual customers, which will in turn drive the level and extent of
37(4),(7) due diligence appropriate to that customer. The firm’s decisions on the
CDD measures to be applied must take account of Risk Factor
Guidelines issued jointly by the European Supervisory Authorities.
4.9 No system of checks will detect and prevent all money laundering or
terrorist financing. A risk-based approach will, however, serve to
balance the cost burden placed on individual firms and their customers
with a realistic assessment of the threat of the firm being used in
connection with money laundering or terrorist financing. It focuses the
effort where it is needed and will have most impact.
Regulation 18(2)(b) 4.11 A firm is required to assess the risks inherent in its business, taking into
account risk factors including those relating to its customers, countries
or geographical areas in which it operates, products, services, its
transactions and delivery channels.
4.12 Examples of the risks in particular industry sectors are set out in the
sectoral guidance in Part II. FATF also publishes papers on the ML/TF
risks in various industry sectors, see www.fatf-gafi.org. The UK
government has published its first national risk assessment of money
laundering and terrorist financing17 which provides a backdrop to a
firm’s assessment of the UK risks inherent in its business. Firms should
17
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/468210/UK_NRA_October_2015
_final_web.pdf
44
4.13 The risk environment faced by the firm includes the wider context
within which the firm operates – whether in terms of the risks posed by
the jurisdictions in which it and its customers operate, the relative
attractiveness of the firm’s products or the nature of the transactions
undertaken. Risks are posed not only in relation to the extent to which
the firm has, or has not, been able to carry out the appropriate level of
CDD in relation to the customer or beneficial owner(s), nor by who the
customer or its beneficial owner(s) is (are), but also in relation to the
activities undertaken by the customer – whether in the normal course of
its business, or through the products used and transactions undertaken.
4.14 The business of many firms, their product and customer base, can be
relatively simple, involving few products, with most customers falling
into similar categories. In such circumstances, a simple approach,
building on the risk the firm’s products are assessed to present, may be
appropriate for most customers, with the focus being on those customers
who fall outside the ‘norm’. Other firms may have a greater level of
business, but large numbers of their customers may be predominantly
retail, served through delivery channels that offer the possibility of
adopting a standardised approach to many AML/CTF procedures. Here,
too, the approach for most customers may be relatively straightforward,
building on the product risk.
4.15 For firms which operate internationally, or which have customers based
or operating abroad, there are additional risk considerations relating to
the position of the jurisdictions involved, and their reputation and
standing as regards the inherent ML/TF risk, and the effectiveness of
their AML/CTF enforcement regime.
4.16 Many governments and authorities carry out ML/TF risk assessments
for their jurisdictions, and firms should have regard to these, insofar as
they are published and available.
4.18 Countries may also be assessed using publicly available indices from
HM Treasury Sanctions18, FATF high-risk and non-cooperative
jurisdictions19, Moneyval evaluations20, Transparency International
18
http://hmt-sanctions.s3.amazonaws.com/sanctionsconlist.pdf
19
http://www.fatf-gafi.org/topics/high-riskandnon-cooperativejurisdictions/
20
http://www.coe.int/t/dghl/monitoring/moneyval/
45
SYSC 6.3.6 G 4.19 In identifying its money laundering risk an FCA-regulated firm should
consider a range of factors, including
4.20 The firm should therefore assess its risks in the context of how it might
most likely be involved in money laundering or terrorist financing. In
this respect, senior management should ask themselves a number of
questions; for example:
4.21 Annex 4-I contains further guidance on considerations firms might take
account of in assessing the level of ML/TF risk in different jurisdictions.
The concept of an ‘equivalent jurisdiction’ no longer exists under the
ML Regulations.
4.22 When the FCA issues a relevant thematic review report, or updates its
Financial Crime Guide, as part of its ongoing assessment of ML/TF
risks, a firm should consider whether there are any areas of risk or issues
of concern which are relevant to the firm’s business highlighted within
the report. Firms should be aware of the FCA’s published enforcement
findings in relation to individual firms, and its actions in response to
these; this information is available on the FCA website at
http://www.fca.org.uk/firms/being-regulated/enforcement/outcomes-
notices’.
New technologies
Regulation 19(4)(c), 4.23 In identifying and assessing the money laundering or terrorist financing
33(6)(b)(v) risks, firms must take account of whether new products and new
business practices are involved, including new delivery mechanisms,
and the use of new or developing technologies for both new and pre-
existing products. As well as being specifically required in assessing
whether there is a high risk of ML/TF in a particular situation, such a
risk assessment should take place prior to the launch of the new
products, business practices or the use of new or developing
technologies. Appropriate measures should be taken to manage and
21
http://cpi.transparency.org/cpi2013/results/
22
http://www.hrdreport.fco.gov.uk/
23
http://www.ukti.gov.uk/export/howwehelp/oberseasbusinessrisk/countries.html
24
http://www.state.gov/eb/rls/othr/ics/2013/index.htm
46
A risk-based approach – Design and implement controls to manage and mitigate the risks
Regulation 19(1) 4.24 Once the firm has identified and assessed the risks it faces in respect of
money laundering or terrorist financing – at EU level, UK level and in
relation to the firm itself - senior management must establish and
maintain policies, controls and procedures to mitigate and manage
effectively the risks of money laundering and terrorist financing
identified in its risk assessment. These policies, controls and
procedures must take account of the size and nature of the firm’s
business.
Regulation 19(2)(b) 4.26 Firms must obtain approval from their senior management for the
policies, controls and procedures that they put in place and for
monitoring and enhancing the measures taken, where appropriate.
Regulation 19, 21 4.28 The policies, controls and procedures referred to in paragraph 4.24
must include:
4.29 The nature and extent of AML/CTF controls will depend on a number
of factors, including:
General
Regulation 28(12) 4.33 Based on the risk assessment carried out, a firm will determine the level
of CDD that should be applied in respect of each customer and
beneficial owner. It is likely that there will be a standard level of CDD
that will apply to the generality of customer, based on the firm’s risk
appetite.
4.35 To decide on the most appropriate and relevant controls for the firm,
senior management should ask themselves what measures the firm can
adopt, and to what extent, to manage and mitigate these threats/risks
most cost effectively, and in line with the firm’s risk appetite.
Examples of control procedures include:
Regulation 18 4.37 Although the ML/TF risks facing the firm fundamentally arise through
its customers, the nature of their businesses and their activities, a firm
must consider its customer risks in the context of the wider ML/TF
environment inherent in the business and jurisdictions in which the firm
and its customers operate. Firms should bear in mind that some
jurisdictions have close links with other, perhaps higher risk,
jurisdictions, and where appropriate and relevant regard should be had
to this.
49
Regulation 31(1) 4.40 However, as stated in paragraph 5.2.6, if a firm cannot satisfy itself as
to the identity of a customer or the beneficial owner who is not the
customer; verify that identity; or obtain sufficient information on the
nature and intended purpose of the business relationship, it must not
enter into a new business relationship and must terminate an existing
one.
4.42 Some other firms, however, often (but not exclusively) those dealing in
wholesale markets, may offer a more ‘bespoke’ service to customers,
many of whom are already subject to extensive due diligence by lawyers
and accountants for reasons other than AML/CTF. In such cases, the
business of identifying the customer will be more complex, but will take
account of the considerable additional information that already exists in
relation to the prospective customer.
SYSC 6.3.6 G 4.43 In order to be able to implement a reasonable RBA, firms should
identify criteria to assess potential money laundering risks.
Identification of the money laundering or terrorist financing risks, to the
extent that such terrorist financing risk can be identified, of customers
or categories of customers, and transactions will allow firms to design
and implement proportionate measures and controls to mitigate these
risks.
4.44 Money laundering and terrorist financing risks may be measured using
a number of factors. Application of risk categories to
customers/situations can then provide a strategy for managing potential
risks by enabling firms to subject customers to proportionate controls
and oversight. The key risk criteria are: country or geographic risk;
50
Regulation 33(7)(8), 4.45 Annex 4-II contains a fuller list of illustrative risk factors a firm may
37(4)(7) address when considering the ML/TF risk posed by customer situations,
consistent with Risk Factor Guidelines issued jointly by the European
Supervisory Authorities, to which firms must have regard.
Regulation 28(13) 4.46 When assessing the ML/TF risks relating to types of customers,
countries or geographic areas, and particular products, services,
transactions or delivery channel risks, a firm should take into account
risk variables relating to those risk categories. These variables, either
singly or in combination, may increase or decrease the potential risk
posed, thus impacting the appropriate level of CDD measures.
Examples of such variables include:
4.47 When assessing risk, firms should consider all relevant risk factors
before determining what is the overall risk category and the appropriate
level of mitigation to be applied.
4.49 When weighting risk factors, firms should make an informed judgement
about the relevance of different risk factors in the context of a particular
customer relationship or occasional transaction. This often results in
firms allocating different ‘scores’ to different factors – for example,
firms may decide that a customer’s personal links to a jurisdiction
associated with higher ML/TF risk is less relevant in light of the features
of the product they seek.
4.50 Ultimately, the weight given to each of these factors is likely to vary
from product to product and customer to customer (or category of
customer) and from one firm to another. When weighting factors, firms
should ensure that:
4.52 When the FCA issues a relevant thematic review report, or updates its
Financial Crime Guide, as part of its ongoing assessment of ML/TF
risks, a firm should consider whether there are any areas of risk or issues
of concern which are relevant to the firm’s business highlighted within
the report. Firms should be aware of the FCA’s published enforcement
findings in relation to individual firms, and its actions in response to
these; this information is available on the FCA website at
http://www.fca.org.uk/firms/being-regulated/enforcement/outcomes-
notices’.
Regulation 37(1) 4.54 There are other circumstances where the risk of money laundering or
terrorist financing may be lower. In such circumstances, and provided
there has been an adequate analysis of the risk by the country or by the
firm, the firm may (if permitted by local law or regulation) apply
reduced CDD measures. [See Part I, paragraphs 5.4.1ff for additional
guidance on simplified due diligence.] When assessing the ML/TF risks
relating to types of customers, countries or geographic areas, and
particular products, services, transactions or delivery channels,
potentially lower risk situations may be influenced by:
Regulation 33(7)(8), 4.55 Annex 4-II contains a fuller list of illustrative risk factors a firm may
37(4)(7) address when considering the ML/TF risk posed by customer situations,
consistent with Risk Factor Guidelines issued jointly by the European
Supervisory Authorities, to which firms must have regard.
4.57 Firms should not, however, judge the level of risk solely on the nature
of the customer or the product. Where, in a particular customer/product
combination, either or both the customer and the product are considered
to carry a higher risk of money laundering or terrorist financing, the
overall risk of the customer should be considered carefully. Firms need
to be aware that allowing a higher risk customer to acquire a lower risk
product or service on the basis of a verification standard that is
appropriate to that lower risk product or service, can lead to a
requirement for further verification requirements, particularly if the
customer wishes subsequently to acquire a higher risk product or
service.
Regulation 33(1) 4.60 Where higher risks are identified, firms are required take enhanced
measures to manage and mitigate the risks. Politically Exposed Persons
and Correspondent relationships have been specifically identified by the
authorities as higher risk. Specific guidance on enhanced due diligence
in these cases is given in section 5.5.
4.62 Where the risks of ML/TF are higher, firms must conduct enhanced due
diligence measures consistent with the risks identified.
Regulation33(4)
a. (a) In particular, they must:
53
Regulation 33(7)(8) 4.63 Annex 4-II contains a fuller list of illustrative risk factors a firm may
37(4)(7) address when considering the ML/TF risk posed by customer situations,
consistent with Risk Factor Guidelines issued jointly by the European
Supervisory Authorities, to which firms must have regard.
Regulation 4.64 Where EDD measures are applied, firms must as far as reasonably
33(1)(f),(4) possible examine the background and purpose of all complex and
unusually large transactions, unusual patterns of transactions and
transactions which have no apparent economic or legal purpose. They
must also increase the degree and nature of monitoring of the business
relationship in which such transactions are made to determine whether
those transactions or that relationship appear to be suspicious.
4.65 In the case of some situations assessed as high risk, or which are outside
the firm’s risk appetite, the firm may wish not to take on the customer,
or may wish to exit from the relationship. This may be the case in
relation to particular types of customer, or in relation to customers from,
or transactions to or through, particular high risk countries or geographic
areas, or in relation to a combination of other risk factors.
4.67 The firm must decide, on the basis of its assessment of the risks posed
by different customer/product combinations, on the level of verification
54
4.69 When the FCA issues a relevant thematic review report, or updates its
Financial Crime Guide, as part of its ongoing review of its controls to
manage and mitigate its ML/TF risks, a firm should consider how its
systems, controls and procedures appear in relation to the self-
assessment questions set out in the report. Firms should be aware of the
FCA’s published enforcement findings in relation to individual firms,
and its actions in response to these; this information is available at
http://www.fca.org.uk/firms/being-regulated/enforcement/outcomes-
notices’
A risk-based approach – Monitor and improve the effective operation of the firm’s controls
Regulation 19(2)(b) 4.70 The policies, controls and procedures should be approved by senior
SYSC 6.3.8 R management, and the measures taken to manage and mitigate the risks
(whether higher or lower) should be consistent with national
requirements and with guidance from competent authorities.
4.71 Independent testing of, and reporting on, the development and effective
operation of the firm’s RBA should be conducted by, for example, an
internal audit function (where one is established), external auditors,
specialist consultants or other qualified parties who are not involved in
the implementation or operation of the firm’s AML/CTF compliance
programme.
SYSC 6.3.3 R 4.72 The firm will need to have some means of assessing that its risk
mitigation procedures and controls are working effectively, or, if they
are not, where they need to be improved. Its policies, controls and
procedures will need to be kept under regular review. Aspects the firm
will need to consider include:
4.73 When the FCA issues a relevant thematic review report, or updates its
Financial Crime Guide, as part of its monitoring of the performance of
its ML/TF controls, a firm should consider whether any of the examples
of poor practice have any resonance within the firm. Firms should be
aware of the FCA’s published enforcement findings in relation to
individual firms, and its actions in response to these; this information is
available on the FCA website at http://www.fca.org.uk/firms/being-
regulated/enforcement/outcomes-notices.
A risk-based approach – Record appropriately what has been done and why
SYSC 6.3.3 R 4.74 Firms must document their risk assessments in order to be able to
Regulation 18(4) demonstrate their basis, keep these assessments up to date, and have
appropriate mechanisms to provide appropriate risk assessment
information to competent authorities.
4.76 The responses to consideration of the issues set out above, or to similar
issues, will enable the firm to tailor its policies and procedures on the
prevention of money laundering and terrorist financing. Documentation
of those responses should enable the firm to demonstrate to its regulator
and/or to a court:
SYSC 6.3.3 R 4.78 Risk management generally is a continuous process, carried out on a
dynamic basis. A money laundering/terrorist financing risk assessment
is not a one-time exercise. Firms must therefore ensure that their risk
management processes for managing money laundering and terrorist
financing risks are kept under regular review.
4.79 There is a need to monitor the environment within which the firm
operates. Success in preventing money laundering and terrorist
financing in one area of operation or business will tend to drive
criminals to migrate to another area, business, or product stream.
Periodic assessment should therefore be made of activity in the firm’s
market place. If evidence suggests that displacement is happening, or
if customer behaviour is changing, the firm should be considering what
it should be doing differently to take account of these changes.
4.80 In a stable business change may occur slowly: most businesses are
evolutionary. Customers’ activities change (without always notifying
the firm) and the firm’s products and services – and the way these are
offered or sold to customers – change. The products/transactions
attacked by prospective money launderers or terrorist financiers will
also vary as perceptions of their relative vulnerability change.
Annex 4-I
IN DIFFERENT JURISDICTIONS
1. This Annex is designed to assist firms by setting out how they might approach their assessment
of other jurisdictions, to determine their level of ML/TF risk. The Annex discusses jurisdictions
where there may be a presumption of low risk, and those where such a presumption may not be
appropriate without further investigation. It then discusses issues that a firm should consider in
all cases when coming to a judgement on the level of ML/TF risk implicit in any particular
jurisdiction.
2. Assessment of a jurisdiction as low risk only allows for some easement of the level of due
diligence carried out – it is not a complete exemption from the application of CDD measures in
respect of customer identification. It does not exempt the firm from carrying out ongoing
monitoring of the business relationship with the customer, nor from the need for such other
procedures (such as monitoring) as may be necessary to enable a firm to fulfil its responsibilities
under the Proceeds of Crime Act 2002.
3. Although the judgement on the risk level is one to be made by each firm in the light of the
particular circumstances, senior management is accountable for this judgement – either to its
regulator, or, if necessary, to a court. It is therefore important that the reasons for concluding that
a particular jurisdiction is low risk (other than those in respect of which a presumption of low
risk may be made) are documented at the time the decision is made, and that it is made on relevant
and up to date data or information.
Categories of country
4. When identifying lower risk jurisdictions, FATF encourages firms to take into consideration
country risk factors:
5. All Member States of the EU (which, for this purpose, includes Gibraltar as part of the UK, and
Aruba as part of the Kingdom of the Netherlands) are required to enact legislation and financial
sector procedures in accordance with the EU Fourth Money Laundering Directive. The directive
implements the revised 2012 FATF standards.
58
All EEA countries have undertaken to implement the fourth money laundering directive and all
are members of FATF or the relevant FATF style regional body (for Europe, this is
MONEYVAL).
6. Gibraltar is also directly subject to the requirements of the money laundering directive, which
it has implemented. It is therefore considered to be low risk for these purposes.
7. Given the commitment to implement the Fourth Money Laundering Directive, firms may initially
presume EEA member states to be low risk; significant variations may however exist in the
precise measures that have been taken to transpose the money laundering directive (and its
predecessors) into national laws and regulations. Moreover, the effective implementation of the
standards will also vary. Where firms have substantive information which indicates that a
presumption of low risk cannot be sustained, either in general or for particular products, they will
need to consider whether their procedures should be enhanced to take account of this information.
8. The status of implementation of the fourth money laundering directive across the EU is available
at http://ec.europa.eu/internal_market/company/docs/official/080522web_en.pdf.
9. All FATF members, including members of FATF style regional bodies, undertake to implement
the FATF anti-money laundering and counter-terrorism Recommendations as part of their
membership obligations.
10. However, unlike the transposition of the money laundering directive by EU Member States,
implementation cannot be mandatory, and all members will approach their obligations in different
ways, and under different timetables.
13. As a result of due diligence carried out, therefore, for the purposes of determining those
jurisdictions which, in the firm’s judgement, are low risk, firms may rely, for the purposes of
carrying out CDD measures, on other regulated firms situated in such a jurisdiction.
Firms should bear in mind that the presence of one or more risk factors may not always indicate
that there is a high risk of money laundering or terrorist financing in a particular situation.
16. There are a number of international and regional ‘groups’ of jurisdictions that admit to
membership only those jurisdictions that have demonstrated a commitment to the fight against
money laundering and terrorist financing, and which have an appropriate legal and regulatory
regime to back up this commitment.
Contextual factors
17. Such factors as the political stability of a jurisdiction, and where it stands in tables of corruption
are relevant to whether it is likely that a jurisdiction will be low risk. It will, however, seldom be
easy for firms to make their own assessments of such matters, and it is likely that they will have
to rely on external agencies for such evidence – whether prepared for general consumption, or
specifically for the firm. Where the firm looks to publicly available evidence, it will be important
that it has some knowledge of the criteria that were used in making the assessment; the firm
cannot rely solely on the fact that such a list has been independently prepared, even if by a
respected third party agency.
18. The FATF from time to time issues statements on its concerns about the lack of comprehensive
AML/CTF systems in a number of jurisdictions (see section 2.4 below). When constructing their
internal procedures, therefore, financial sector firms should have regard to the need for additional
monitoring procedures for transactions from any country that is listed on these statements of
concern. Additional monitoring procedures will also be required in respect of correspondent
relationships with financial institutions from such countries.
19. Other, commercial agencies also produce reports and lists of jurisdictions, entities and individuals
that are involved, or that are alleged to be involved, in activities that cast doubt on their integrity
in the AML/CTF area. Such reports lists can provide some useful and relevant evidence – which
may or may not be conclusive – on whether or not a particular jurisdiction is likely to be low risk.
20. Particular attention should be paid to assessments that have been undertaken by standard setting
bodies such as FATF, and by international financial institutions such as the IMF.
FATF
21. FATF member countries monitor their own progress in the fight against money laundering and
terrorist financing through regular mutual evaluation by their peers. In 1998, FATF extended
the concept of mutual evaluation beyond its own membership through its endorsement of FATF-
style mutual evaluation programmes of a number of regional groups which contain non-FATF
members. The groups undertaking FATF-style mutual evaluations are
22. Firms should bear in mind that mutual evaluation reports are at a ‘point in time’, and should be
interpreted as such. Although follow up actions are usually reviewed after two years, there can
be quite long intervals between evaluation reports in respect of a particular jurisdiction. Even at
the point an evaluation is carried out there can be changes in train to the jurisdiction’s AML/CTF
regime, but these will not be reflected in the evaluation report. There can also be subsequent
changes to the regime (whether to respond to criticisms by the evaluators or otherwise) which
firms should seek to understand and to factor into their assessment of whether the jurisdiction is
low risk.
23. In assessing the conclusions of a mutual evaluation report, firms may find it difficult to give
appropriate weighting to findings and conclusions in respect of the jurisdiction’s compliance with
particular Recommendations. For the purposes of assessing level of risk, compliance (or
61
otherwise) with certain Recommendations may have more relevance than others. The extent to
which a jurisdiction complies with the following Recommendations may be particularly relevant:
Legal framework:
Recommendations 1, 3, 4 and 5
Measures to be taken by firms:
Recommendations 9, 10, 11, 17 and 20,
Supervisory regime:
Recommendations 26, 27 and 35
International co-operation:
Recommendations 2 and 40
24. Summaries of FATF and FATF-style evaluations are published in FATF Annual Reports and can
be accessed at www.fatf-gafi.org. However, mutual evaluation reports prepared by some FATF-
style regional bodies may not be carried out fully to FATF standards, and firms should bear this
in mind if a decision on whether a jurisdiction is low risk is based on such reports.
IMF/World bank
25. As part of their financial stability assessments of countries and territories, the IMF and the World
Bank have agreed with FATF a detailed methodology for assessing compliance with AML/CTF
standards, using the FATF Recommendations as the base. A number of countries have already
undergone IMF/World Bank assessments in addition to those carried out by FATF, and some of
the results can be accessed at www.imf.org. Where IMF/World Bank assessments relate to FATF
members, the assessments are formally adopted by the FATF and appear on the FATF website.
26. Information on the extent and quality of supervision of AML/CTF standards may be obtained
from the extent to which a jurisdiction complies with Recommendations 17, 23, 29 and 30.
27. In respect of any particular jurisdiction, the level and extent of due diligence that needs to be
carried out in making a judgement on the level of risk will be influenced by the volume and size
of the firm’s business with that jurisdiction in relation to the firm’s overall business.
Prohibition notices
28. Under certain circumstances, HM Treasury may, pursuant to the Counter-terrorism Act 2008,
Schedule 7, issue directions to a firm in relation to customer due diligence; ongoing monitoring;
systematic reporting; and limiting or ceasing business. Details of any such HM Treasury
directions will be found at www.hm-treasury.gov.uk.
Advisory notices
HM Treasury
29. HM Treasury issues advisory notices in which it expresses the UK’s full support of the work of
the FATF on jurisdictions of concern. The HM Treasury advisory notice is available at
https://www.gov.uk/government/publications/money-laundering-and-terrorist-
financing-controls-in-overseas-jurisdictions-advisory-notice
62
30. The FATF issues periodic announcements about its concerns regarding the lack of comprehensive
AML/CTF systems in various jurisdictions.
31. The FATF maintains a Public Statement which lists jurisdictions of concern in three categories:
1. Jurisdictions subject to a FATF call on its members and other jurisdictions to apply
countermeasures to protect the international financial system from the ongoing and substantial
money laundering and terrorist financing (ML/TF) risks emanating from the jurisdiction.
2. Jurisdictions with strategic AML/CTF deficiencies that have not committed to an action plan
developed with the FATF to address key deficiencies. The FATF calls on its members to
consider the risks arising from the deficiencies associated with each jurisdiction, as described
below.
32. The FATF also maintains a statement Improving Global AML/CTF Compliance: On-going
Process, which lists jurisdictions identified as having strategic AML/CTF deficiencies for which
they have developed an action plan with the FATF. While the situations differ among
jurisdictions, each has provided a written high-level political commitment to address the
identified deficiencies. The FATF will closely monitor the implementation of these action plans
and encourages its members to consider the information set out in the statement.
33. The latest versions of these FATF Statements are available at http://www.fatf-gafi.org.
FCA
34. The FCA expect firms they supervise for money laundering purposes to consider the impact of
these statements on their policies and procedures.
63
ANNEX 4-II
Risk factors that may be relevant when considering the risk associated with a customer’s or
their beneficial owners’ business or professional activity include:
• Does the customer or beneficial owner have links to sectors that are associated with
higher corruption risk, such as construction, pharmaceuticals and healthcare, arms trade
and defence, extractive industries and public procurement?
• Does the customer or beneficial owner have links to sectors that are associated with
higher ML or TF risk, for example certain Money Service Businesses, casinos or
dealers in precious metals?
• Does the customer or beneficial owner have links to sectors that involve significant
amounts of cash?
• Where the customer is a legal person, what is the purpose of their establishment? For
example, what is the nature of their business?
• Does the customer have political connections, for example, are they a Politically
Exposed Person (PEP), or is their beneficial owner a PEP? Does the customer or
beneficial owner have any other relevant links to a PEP, for example, are any of the
customer’s directors PEPs and if so, do these PEPs exercise significant control over the
customer or beneficial owner? In what jurisdiction is the PEP, his business or a
business he is connected with, located?
• Does the customer or beneficial owner hold another public position that might enable
them to abuse public office for private gain? For example, are they senior or regional
public figures with the ability to influence the awarding of contracts, decision-making
members of high profile sporting bodies or individuals that are known to influence the
government and other senior decision-makers?
• Is the customer’s or their beneficial owner’s background consistent with what the firm
knows about their former, current or planned business activity, their business’ turnover,
the source of funds and the customer’s or beneficial owner’s source of wealth?
B. Reputation
The following risk factors may be relevant when considering the risk associated with a
customer’s or their beneficial owners’ reputation:
• Are there any adverse media reports or other relevant information sources about the
customer? For example, are there any allegations of criminality or terrorism against the
customer or their beneficial owners? If so, are these credible? Firms should determine
the credibility of allegations on the basis of the quality and independence of the source
data and the persistence of reporting of these allegations, among others. The absence of
criminal convictions alone may not be sufficient to dismiss allegations of wrongdoing.
• Does the firm know if the customer or beneficial owner has been subject to a
suspicious activity report in the past?
• Does the firm have any in-house information about the customer’s or their beneficial
owner’s integrity, obtained, for example, in the course of a long-standing business
relationship?
The following risk factors may be relevant when considering the risk associated with a
customer’s or their beneficial owners’ nature and behaviour (not all of these risk factors will be
apparent at the outset, but may emerge only once a business relationship has been established):
• Does the customer have legitimate reasons for being unable to provide robust evidence
of their identity, perhaps because they are an asylum seeker?
• Does the firm have any doubts about the veracity or accuracy of the customer’s or
beneficial owner’s identity?
• Are there indications that the customer might seek to avoid the establishment of a
business relationship? For example, does the customer look to carry out one or several
one-off transactions where the establishment of a business relationship might make
more economic sense?
• Is the customer’s ownership and control structure transparent and does it make sense?
If the customer’s ownership and control structure is complex or opaque, is there an
obvious commercial or lawful rationale?
• Is the customer a legal person or arrangement that could be used as an asset holding
vehicle?
65
• Is there a sound reason for changes in the customer’s ownership and control structure?
• Does the customer request transactions that are complex, unusually or unexpectedly
large or have an unusual or unexpected pattern without apparent economic or lawful
purpose or a sound commercial rationale? Are there grounds to suspect that the
customer is trying to evade certain thresholds?
• Can the customer’s or beneficial owner’s source of wealth or source of funds be easily
explained, for example through their occupation, inheritance or investments?
• Does the customer use their products and services as expected when the business
relationship was first established?
• Where the customer is a non-resident, could their needs be better serviced elsewhere?
Is there a sound economic or lawful rationale for the customer requesting the type of
financial service sought? Note that EU law creates a right for customers who are legally
resident in the EU to obtain a basic bank account, but this right applies only to the extent
that firms can comply with their AML/CTF obligations.
When identifying the risk associated with countries and geographic areas, firms should consider
the risk related to:
a) the jurisdiction in which the customer or beneficial owner is based;
b) the jurisdictions which are the customer´s or beneficial owner’s main place of
business; and
c) the jurisdiction to which the customer or beneficial owner has relevant personal
links.
Annex 4-I sets out further guidance on considerations firms might take account of in assessing
the level of ML/TF risk in different jurisdictions.
When identifying the risk associated with their products, services or transactions, firms should
consider the risk related to:
Risk factors that may be relevant when considering the risk associated with a product, service
or transaction’s transparency include:
• To what extent do products or services facilitate or allow anonymity or opaqueness of
customer, ownership or beneficiary structures, for example pooled accounts, bearer
shares, fiduciary deposits, offshore and certain trusts, or legal entities like foundations
that are structured in a way to take advantage of anonymity and dealings with shell
companies or companies with nominee shareholders that could be abused for illicit
purposes?
• To what extent is it possible for a third party that is not part of the business
relationship to give instructions, e.g. certain correspondent banking relationships?
Risk factors that may be relevant when considering the risk associated with a product, service
or transaction’s complexity include:
• To what extent is the transaction complex and involves multiple parties or multiple
jurisdictions, for example certain trade finance transactions? Are transactions
straightforward, for example regular payments into a pension fund?
• To what extent do products or services allow payments from third parties or accept
overpayments where this is not normally foreseen? Where third party payments are
foreseen, does the firm know the third party’s identity, for example a state benefit
authority or a guarantor? Or are products and services funded exclusively by fund
transfers from the customer’s own account at another financial institution that is subject
to AML/CTF standards and oversight that are comparable to those required under the
UK regime?
• Does the firm understand the risks associated with its new or innovative product or
service, in particular where this involves the use of new technologies or payment
methods?
Risk factors that may be relevant when considering the risk associated with a product, service
or transaction’s value or size include:
• To what extent are products or services cash intensive, such as many payment
services but also certain current accounts?
When identifying the risk associated with the way the customer obtains the products or services
they require, firms should consider the risk related to:
a) the extent to which the business relationship is conducted on a non-face to face basis;
and
b) any introducers or intermediaries the firm might use and the nature of their
relationship to the firm.
When assessing the risk associated with the way the customer obtains the product or services,
firms should consider a number of factors including:
67
• Is the customer physically present for identification purposes? If they are not, has the
firm used a reliable form of non-face to face CDD? Has it taken steps to prevent
impersonation or identity fraud?
• Has the customer been introduced from other parts of the same financial group and if
so, to what extent can the firm rely on this introduction as reassurance that the customer
will not expose the firm to excessive ML/TF risk? What has the firm done to satisfy
itself that the group entity applies CDD measures to UK standards?
• Has the customer been introduced from a third party, for example a bank that is not
part of the same group, and is the third party a financial institution or is their main
business activity unrelated to financial service provision? What has the firm done to be
satisfied that:
i. the third party applies CDD measures and keeps records to UK standards and
that it is supervised for compliance with comparable AML/CTF obligations in
line with UK requirements?
ii. the third party will provide, immediately upon request, relevant copies of
identification and verification data, among others in line with UK
requirements? and
iii. the quality of the third party’s CDD measures is such that it can be relied
upon?
• Has the customer been introduced through a tied agent, i.e. without direct firm
contact? To what extent can the firm be satisfied that the agent has obtained enough
information so that the firm knows its customer and the level of risk associated with the
business relationship?
• If independent or tied agents are used, to what extent are they involved on an ongoing
basis in the conduct of business? How does this affect the firm’s knowledge of the
customer and ongoing risk management?
i. a regulated person subject to AML obligations that are consistent with those
of the UK regime?
ii. subject to effective AML supervision? Are there any indications that the
intermediary’s level of compliance with applicable AML legislation or
regulation is inadequate, for example because the intermediary has been
sanctioned for breaches of AML/CTF obligations?
iii. based in a jurisdiction associated with higher ML/TF risk? Where a third
party is based in a high risk third country that the Commission has identified as
having strategic deficiencies, firms must not rely on that intermediary.
However, reliance may be possible provided that the intermediary is a branch
or majority-owned subsidiary undertaking of another firm established in the
EU, and the firm is confident that the intermediary fully complies with group
wide policies, controls and procedures in line with UK requirements.
68
ANNEX 4-III
Firms should keep their assessment of ML/TF risk associated with individual business relationships and
occasional transactions, as well as the underlying factors, under review to ensure their assessment of
ML/TF risk remains up to date and relevant. Firms should assess information obtained as part of their
ongoing monitoring of the business relationship and consider whether this affects the risk assessment.
Firms should also ensure that they have systems and controls in place to identify emerging ML/TF risks
and that they can assess and, where appropriate, incorporate these in their business-wide and individual
risk assessments in a timely manner.
Examples of systems and controls firms should put in place to identify emerging risks include:
• processes to ensure the firm regularly reviews relevant information sources. This should
involve, in particular:
i. regularly reviewing media reports that are relevant to the sectors or jurisdictions the
firm is active in;
iii ensuring that the firm becomes aware of changes to terror alerts and sanctions
regimes as soon as they occur, for example by regularly reviewing terror alerts an
looking for sanctions regime updates; and
iii. regularly reviewing thematic reviews and similar publications issued by competent
authorities.
• engagement with other industry representatives and competent authorities (such as round
tables, conferences and training) and processes to feed back any findings to relevant staff;
and
• establishing a culture of information sharing within the firm and strong company ethics.
Examples of systems and controls firms should put in place to ensure their individual and business-wide
risk assessment remains up to date include:
• setting a date at which the next risk assessment update takes place, e.g. on the 1 March
every year, to ensure new or emerging risks are included in the risk assessment. Where the
firm is aware that a new risk has emerged, or an existing one has increased, this should be
reflected in the risk assessment as soon as possible; and
• carefully recording issues throughout the year that could have a bearing on the risk
assessment, such as internal suspicious transaction reports, compliance failures and
intelligence from front office staff.
69
Like the original risk assessments, any update of a risk assessment and adjustment of accompanying
CDD measures should be proportionate and commensurate with the ML/TF risk.
70
CHAPTER 5
➢ Relevant UK law/regulation
▪ Regulations 4-6, 27-38
▪ POCA ss 330 – 331, 334(2), 342
▪ Terrorism Act
▪ Counter-terrorism Act 2008, Schedule 7
▪ Financial sanctions legislation
➢ Customers that may not be dealt with
▪ UN Sanctions resolutions 1267 (1999), 1373 (2001), 1333 (2002), 1390 (2002) and 1617
(2005)
▪ EC Regulation 2580/2001, 881/2002 (as amended), 423/2007 and 1110/2008
▪ EU Regulation 2016/1686
▪ Terrorism Act, 2000, Sch 2
▪ Terrorism (United Nations Measures) Orders 2006 and 2009
▪ Al-Qa’ida and Taliban (United Nations Measures) Order 2006
▪ HM Treasury Sanctions Notices and News Releases
➢ Regulatory regime
▪ SYSC 6.1.1 R, 6.3.7(5) G
▪ FCA Financial Crime Guide
▪ FCA PEPs guidance
➢ Other material pointing to good practice
▪ FATF Recommendations
▪ FATF Guidance on the risk-based approach: High level principles and procedures
▪ Basel paper – Sound management of risks related to money laundering and financing of
terrorism
▪ IAIS Guidance Paper 5
▪ IOSCO Principles paper
▪ ESA Risk Factor Guidelines
➢ Core obligations
▪ Must carry out prescribed CDD measures for all customers not covered by exemptions
▪ Must have systems to deal with identification issues in relation to those who cannot produce
the standard evidence
▪ Must take a risk based approach when applying enhanced due diligence to take account of the
greater potential for money laundering in higher risk cases, specifically in respect of PEPs and
correspondent relationships
▪ Some persons/entities must not be dealt with
▪ Must have specific policies in relation to the financially (and socially) excluded
▪ If satisfactory evidence of identity is not obtained, the business relationship must not proceed
further
▪ Must have some system for keeping customer information up to date
5.1.1 The ML Regulations 2017 specify CDD measures that are required to
be carried out, and the timing, as well as actions required if CDD
measures are not carried out. The Regulations then describe
circumstances in which limited CDD measures are permitted (referred
to as ‘Simplified Due Diligence’), and those customers and
circumstances where enhanced due diligence is required. Provision for
71
Regulation 5.1.4 Firms must determine the extent of their CDD measures and ongoing
28(12),(16) monitoring on a risk-sensitive basis, depending on the type of customer,
business relationship, product or transaction. They must be able to
demonstrate to their supervisory authority that the extent of their CDD
measures and monitoring is appropriate in view of the risks of money
laundering and terrorist financing.
Regulation 28(1), (2) 5.1.5 The CDD measures that must be carried out involve:
Regulation 28(4)(c), 5.1.6 Where the beneficial owner is a legal person (other than a company
(5) listed on a regulated market), trust, company, foundation or similar legal
arrangement, firms must take reasonable measures to understand the
ownership and control structure of that legal person, trust, company,
foundation or legal arrangement.
Regulations 33-38 5.1.8 For some business relationships, determined by the firm to present a low
degree of risk of ML/TF, simplified due diligence (SDD) may be
applied; in the case of higher risk situations, and specifically in relation
to PEPs or correspondent relationships with non-EEA respondents,
72
Regulation 28(11) 5.1.9 Firms must conduct ongoing monitoring of the business relationship
with their customers (see paragraphs 5.7.1ff), including the scrutiny of
transactions undertaken throughout the course of the relationship and
keeping CDD information up to date. This is a separate, but related,
obligation from the requirement to apply CDD measures.
Regulations 27, 28 5.1.10 The CDD and monitoring obligations on firms under legislation and
POCA, ss 327-334 regulation are designed to make it more difficult for the financial
Terrorism Act s 21A
services industry to be used for money laundering or terrorist financing.
5.1.11 Firms also need to know who their customers are to guard against fraud,
including impersonation fraud, and the risk of committing offences
under POCA and the Terrorism Act, relating to money laundering and
terrorist financing.
Criminal Finances 5.1.12 Tax evasion is a predicate offence leading to money laundering. Failing
Act to report knowledge or suspicions relating to such an activity is an
offence committed by a firm.
5.1.13 Firms therefore need to carry out customer due diligence, and
monitoring, for two broad reasons:
5.1.14 It may often be appropriate for the firm to know rather more about the
customer than his identity: it will, for example, often need to be aware
of the nature of the customer’s business or activities in order to assess
the extent to which his transactions and activity undertaken with or
through the firm is consistent with that business.
5.1.15 FATF, the Basel Committee, IAIS and IOSCO have issued
recommendations on the steps that should be taken to identify
customers. FATF has also published guidance on high level principles
and procedures on the risk-based approach. The Basel Committee’s
recommendations comprise a set of guidelines on the Sound
management of risks relating to money laundering and financing of
terrorism. Although the Basel paper is addressed to banks, the IAIS
73
Regulation 27(1) 5.2.1 A firm must apply CDD measures when it does any of the following:
Timing of verification
Regulation 30(2) 5.2.2 General rule: The verification of the identity of the customer and,
where applicable, the beneficial owner, must, subject to the exceptions
referred to below, take place before the establishment of a business
relationship or the carrying out of a transaction.
Regulation 30(3) 5.2.3 Exception if necessary not to interrupt normal business and there
is little risk: In any other case, verification of the identity of the
customer, and where there is one, the beneficial owner, may be
completed during the establishment of a business relationship if
(a) this is necessary not to interrupt the normal conduct of business and
(b) there is little risk of money laundering or terrorist financing
occurring
Regulation 30(4),(5) 5.2.4 Exception when opening a account: The verification of the identity of
a customer (or beneficial owner, if there is one) opening an account may
take place after the account (including an account which permits
transactions in transferable securities) has been opened, provided that
there are adequate safeguards in place to ensure that no transactions are
carried out by or on behalf of the customer before verification has been
completed.
Regulation 30(6),(7) 5.2.5 Other exceptions: Where a firm is required to apply CDD measures in
the case of a trust, a legal entity (other than a body corporate) or a legal
arrangement (other than a trust), and the beneficiaries of that trust, entity
or arrangement are designated as a class, or by reference to particular
characteristics, the firm must establish and verify the identity of the
beneficiary before –
74
Regulation 31(1) 5.2.6 Where a firm is unable to apply CDD measures in relation to a customer,
the firm
(a) must not carry out a transaction through a bank account with or on
behalf of the customer;
(b) must not establish a business relationship or carry out a transaction
with the customer otherwise than through a bank account;
(c) must terminate any existing business relationship with the
customer;
(d) must consider whether it ought to be making a report to the NCA,
in accordance with its obligations under POCA and the Terrorism
Act.
Regulation 31(1), 5.2.8 If the firm concludes that the circumstances do give reasonable grounds
(2) for knowledge or suspicion of money laundering or terrorist financing,
a report must be made to the NCA (see Chapter 6). The firm must
then retain the funds until consent has been given to return the funds to
the source from which they came.
Regulation 31(2) 5.2.9 If the firm concludes that there are no grounds for making a report, it
will need to decide on the appropriate course of action. This may be to
retain the funds while it seeks other ways of being reasonably satisfied
as to the customer’s identity, or to return the funds to the source from
which they came. Returning the funds in such a circumstance is part of
the process of terminating the relationship; it is closing the account,
rather than carrying out a transaction with the customer through a bank
account.
Regulation 28(1) 5.3.1 Applying CDD measures involves several steps. The firm is required
to verify the identity of customers and, where applicable, beneficial
owners. The purpose and intended nature of the business relationship
must also be assessed, and if appropriate, information on this obtained.
Regulation 28(2)(a) 5.3.2 The firm identifies the customer by obtaining a range of information
about him. The verification of the identity consists of the firm verifying
some of this information against documents or information obtained
from a reliable source which is independent of the customer.
76
5.3.3 The term ‘customer’ is not defined in the ML Regulations, and its
meaning has to be inferred from the definitions of ‘business
relationship’ and ‘occasional transaction’, the context in which it is used
in the ML Regulations, and its everyday dictionary meaning. It should
be noted that for AML/CTF purposes, a ‘customer’ may be wider than
the FCA Glossary definition of ‘customer’.
5.3.4 In general, the customer will be the party, or parties, with whom the
business relationship is established, or for whom the transaction is
carried out. Where, however, there are several parties to a transaction,
not all will necessarily be customers. Further, more specific, guidance
for relevant sectors is given in Part II. Section 5.6 is also relevant in this
context.
25
‘transfer of funds’ means any transaction at least partially carried out by electronic means on behalf of a payer through a
payment service provider, with a view to making funds available to a payee through a payment service provider, irrespective of
whether the payer and the payee are the same person and irrespective of whether the payment service provider of the payer and
that of the payee are one and the same, including:
(a) a credit transfer as defined in point (1) of Article 2 of Regulation (EU) No 260/2012;
(b) a direct debit as defined in point (2) of Article 2 of Regulation (EU) No 260/2012;
(c) a money remittance as defined in point (13) of Article 4 of Directive 2007/64/EC, whether national or cross border;
(d) a transfer carried out using a payment card, an electronic money instrument, or a mobile phone, or any other digital or IT
prepaid or postpaid device with similar characteristics.
77
Regulations 6(9), 5.3.8 A beneficial owner is normally an individual who ultimately owns or
controls the customer or on whose behalf a transaction is being
conducted. In respect of private individuals the customer himself is the
beneficial owner, unless there are features of the transaction, or
surrounding circumstances, that indicate otherwise. Therefore, there is
no requirement on firms to make proactive searches for beneficial
owners in such cases, but they should make appropriate enquiries where
it appears that the customer is not acting on his own behalf.
Regulation 5(1),(3) 5.3.9 The ML Regulations define beneficial owners as individuals either
owning or controlling more than 25% of body corporates or partnerships
or otherwise owning or controlling the customer. These individuals
must be identified, and reasonable measures must be taken to verify
their identities.
Regulation 6(1) 5.3.10 In relation to a trust, the ML Regulations define the beneficial owner as
each of:
➢ the settlor;
➢ the trustees;
➢ the beneficiaries, or where the individuals benefiting from the trust
have not been determined, the class of persons in whose main
interest the trust is set up, or operates;
➢ any individual who has control over the trust.
Regulation 6(3) 5.3.11 In relation to a foundation or other legal arrangement similar to a trust,
the beneficial owners are those who hold equivalent or similar positions
to those set out in paragraph 5.3.10.
Regulation 6(7),(8) 5.3.12 In relation to a legal entity or legal arrangement which does not fall
within 5.3.8-5.3.10, the beneficial owners are:
Regulation 5.3.14 The verification requirements under the ML Regulations are, however,
28(2)(a),(b), different as between a customer and a beneficial owner. The identity
(4)(b),(18)
of a customer or beneficial owner must be verified on the basis of
documents or information obtained from a reliable source which is
independent of the customer. For these purposes, documents issued or
made available by an official body are to be regarded as being
independent of a person even if they are provided or made available to
the firm by or on behalf of that person. The obligation to verify the
identity of a beneficial owner, however, is for the firm to take
reasonable measures so that it is satisfied that it knows who the
beneficial owner is. It is up to each firm to consider whether it is
appropriate, in light of the money laundering or terrorist financing risk
associated with the business relationship, to make use of records of
beneficial owners in the public domain, ask their customers for relevant
data, require evidence of the beneficial owner’s identity on the basis of
documents or information obtained from a reliable source which is
independent of the customer, or obtain the information in some other
way.
5.3.15 In low risk situations, therefore, it may be reasonable for the firm to
confirm the beneficial owner’s identity based on information supplied
by the customer. This could include information provided by the
customer (including trustees or other representatives whose identities
have been verified) as to their identity, and confirmation that they are
known to the customer. While this may be provided orally or in
writing, any information received orally should be recorded in written
form by the firm.
Regulation 6(1)(c)(d) 5.3.16 In some trusts and similar arrangements, instead of being an individual,
the beneficial owner may be a class of persons who may benefit from
the trust (see paragraphs 5.3.258ff). Where only a class of persons is
required to be identified, it is sufficient for the firm to ascertain and
name the scope of the class. It is not necessary to identify every
individual member of the class.
Existing customers
Regulations 27(8), 5.3.17 Firms must apply CDD measures at appropriate times to its existing
29(7) customers on a risk-sensitive basis. Firms must also apply CDD
measures to any anonymous accounts or passbooks before they are used.
The obligation to report suspicions of money laundering, or terrorist
financing, however, applies in respect of all the firm’s customers, as
does the UK financial sanctions regime (see paragraphs 5.3.54-5.3.61).
Regulation 27(9) 5.3.18 As risk dictates, therefore, firms must take steps to ensure that they hold
appropriate information to demonstrate that they are satisfied that they
know all their customers. Where the identity of an existing customer
has already been verified to a previously applicable standard then, in the
absence of circumstances indicating the contrary, the risk is likely to be
low. A range of trigger events, such as an existing customer applying
to open a new account or establish a new relationship, might prompt a
firm to seek appropriate evidence.
5.3.19 Firms that do not seriously address risks (including the risk that they
have not confirmed the identity of existing customers) are exposing
79
5.3.21 When a firm acquires the business and customers of another firm, either
as a whole, or as a portfolio, it is not necessary for the identity of all
existing customers to be re-verified, provided that:
Regulation 28(2)(c) 5.3.23 A firm must understand the purpose and intended nature of the business
relationship or transaction to assess whether the proposed business
relationship is in line with the firm’s expectation and to provide the firm
with a meaningful basis for ongoing monitoring. In some instances this
will be self-evident, but in many cases the firm may have to obtain
information in this regard. Whether, and to what extent, the customer
has contact or business relationships with other parts of the firm, its
business or wider group can also be relevant, especially for higher risk
customers. The customer may have different risk profiles in different
parts of the business or group.
5.3.24 Depending on the firm’s risk assessment of the situation, carried out in
accordance with the guidance set out in Chapter 4, information that
might be relevant may include some or all of the following:
80
5.3.25 Having a lower money laundering and/or terrorist financing risk for
identification and verification purposes does not automatically mean
that the same customer is lower risk for all types of CDD measures, in
particular for ongoing monitoring of transactions.
5.3.26 When assessing the money laundering and terrorist financing risks
relating to types of customers, countries or geographic areas, and
particular products, services, transactions or delivery channels risk,
firms should take into account risk variables relating to those risk
categories, including those set out in the ESA Risk Factor Guidelines26
(see Annex 4-II). These variables, either singly or in combination, may
increase or decrease the potential risk posed, thus impacting on the
appropriate level of CDD measures. Examples of such variables
include:
➢ the purpose of an account or relationship
➢ The level of assets to be deposited by a customer or the size of
transactions undertaken
➢ The regularity or duration of the business relationship
Regulation 5.3.27 Documents or information obtained for the purposes of applying CDD
28(11)(b) measures, held about customers, must be kept up to date. Once the
identity of a customer has been satisfactorily verified, there is no
obligation to re-verify identity (unless doubts arise as to the veracity or
adequacy of the evidence previously obtained for the purposes of
customer identification); as risk dictates, however, firms must take steps
to ensure that they hold appropriate up-to-date information on their
customers. A range of trigger events, such as an existing customer
applying to open a new account or establish a new relationship, might
prompt a firm to seek appropriate evidence.
26
These Guidelines were published on 26 June 2017, to take effect by 26 June 2018. See
https://www.eba.europa.eu/documents/10180/1890686/Final+Guidelines+on+Risk+Factors+%28JC+2017+37%2
9.pdf
81
Evidence of identity
Regulation 5.3.31 The ML Regulations require that customer due diligence must be carried
28(2)(a)(b),(18) out on the basis of documents or information obtained from a reliable
source which is independent of the customer. It is therefore important
that the evidence used to verify identity meet this test, both at on-
boarding stage and subsequently when due diligence is revised/updated.
Regulation 28(12) 5.3.34 How much identity information or evidence to ask for, the balance
between asking for documents and using electronic sources, and what
to verify, in order to be reasonably satisfied as to a customer’s identity,
and to guard against impersonation, are matters for the judgement of the
firm, which must be exercised on a risk-based approach, as set out in
Chapter 4, taking into account factors such as:
➢ the nature of the product or service sought by the customer (and any
other products or services to which they can migrate without further
identity verification);
82
5.3.35 An appropriate record of the steps taken, and copies of, or references
to, the evidence obtained to identify the customer must be kept.
Documentary evidence
5.3.38 Firms should recognise that some documents are more easily forged
than others. If suspicions are raised in relation to any document offered,
firms should take whatever practical and proportionate steps are
available to establish whether the document offered has been reported
as lost or stolen.
Electronic evidence
5.3.39 Firms may choose to use electronic/digital identity checks where this is
possible, either on their own or in conjunction with documentary
evidence.
5.3.41 Firms should understand the basis upon which any particular source is
established and whether, and if so how, its compliance with specific
criteria, and performance are monitored.
83
5.3.43 Given the increasing prevalence of social media data, firms may
consider it appropriate, in some circumstances, to take such information
into account as corroboration for, or supplementary to, their CDD
measures. However, firms should have regard to the risks inherent in
the reliability of this data.
5.3.45 Firms should recognise that some electronic sources may be more easily
tampered with, in the sense of their data being able to be amended
informally and unofficially, than others. If suspicions are raised in
relation to the integrity of any electronic information obtained, firms
should take whatever practical and proportionate steps are available to
establish whether these suspicions are substantiated, and if so, whether
the relevant source should be used.
5.3.48 Such information should include data from more robust sources - where
an individual has to prove their identity, or address, in some way in
84
5.3.54 The United Nations, European Union, and United Kingdom are each
able to designate persons and entities as being subject to financial
sanctions, in accordance with relevant legislation. Such sanctions
normally include a comprehensive freeze of funds and economic
resources, together with a prohibition on making funds or economic
resources available to the designated target. A Consolidated List of all
targets to whom financial sanctions apply is maintained by OFSI, and
includes all individuals and entities that are subject to financial
sanctions in the UK. This list is at:
www.gov.uk/government/publications/financial-sanctions-
consolidated-list-of-targets.
5.3.55 The obligations under the UK financial sanctions regime apply to all
firms, and not just to banks. The Consolidated List includes all the
names of designated persons under UN,EC and UK sanctions regimes
which have effect in the UK. Firms will not normally have any
obligation under UK law to have regard to lists issued by other
organisations or authorities in other countries, although a firm doing
business in other countries will need to be aware of the scope and focus
of relevant financial sanctions regimes in those countries. Other
websites may contain useful background information, but the purpose
of the HM Treasury list is to draw together in one place all the names of
designated persons for the various sanctions regimes effective in the
UK. All firms to whom this guidance applies, therefore, whether or not
they are FCA-regulated or subject to the ML Regulations, will need
either:
5.3.56 The origins of such sanctions and the sources of information for the
Consolidated List are set out in Part III, section 4.
5.3.57 OFSI may also be contacted direct to provide guidance and to assist
with any concerns regarding the implementation of financial sanctions:
CTA 2008, Schedule 5.3.61 Under certain circumstances, HM Treasury may issue directions to a
7 firm in relation to customer due diligence; ongoing monitoring;
systematic reporting; and limiting or ceasing business. Details of any
such HM Treasury directions will be found at www.hm-treasury.gov.uk.
Guidance on complying with directions issued by HM Treasury under
CTA 2008, Schedule 7 is given in Part III, section 5.
Illegal immigrants
s40 (1), (2) 5.3.63 Under the Immigration Act 2014, a bank or building society must not
open a current account for a person who is in the UK but does not have
leave to enter or remain in the UK.
s 40 (3) 5.3.64 Confirmation that a person is not entitled to enter or remain in the UK
can be obtained through carrying out a check with a specified27 anti-
fraud organisation or a specified data matching authority.
27
See The Immigration Act 2014 (Specified Anti-fraud Organisation) Order 2014 SI 2014/1798
87
5.3.65 Normal CDD measures must still be applied to the customer once his
immigration status has been checked. Where a current account is
refused, the person must be informed it is for reasons of immigration
status.
Regulation 34 (2), 5.3.66 Firms must not enter into, or continue, a correspondent relationship with
(3), (4)(b) a shell bank. Firms must take appropriate measures to ensure that it
does not enter into or continue a correspondent relationship with a bank
that is known to allow its accounts to be used by a shell bank. A shell
bank is an entity incorporated in a jurisdiction where it has no physical
presence involving meaningful decision-making and management, and
which is not part of a financial conglomerate.
Regulation 29(6),(7) 5.3.67 Firms carrying on business in the UK must not set up an anonymous
account or an anonymous passbook for any new or existing customer.
All firms carrying on business in the UK must apply CDD measures to
all existing anonymous accounts and passbooks before such accounts or
passbooks are used in any way.
5.3.68 Firms should pay special attention to any money laundering or terrorist
financing threat that may arise from products or transactions that may
favour anonymity and take measures, if needed, to prevent their use for
money laundering or terrorist financing purposes.
Private individuals
General
5.3.69 Paragraphs 5.3.71 to 5.3.91 refer to the standard identification
requirement for customers who are private individuals; paragraphs
5.3.92 to 5.3.125 provide further guidance on steps that may be applied
as part of a risk-based approach.
Identification
5.3.71 The firm should obtain the following information in relation to the
private individual:
88
➢ full name
➢ residential address
➢ date of birth
Verification
Regulation 28(18)(b) 5.3.72 Verification of the information obtained must be based on reliable
sources, independent of the customer – which might either be a
document or documents produced by the customer, or electronically by
the firm, or by a combination of both. Documents issued or made
available by an official body are regarded as independent of the
customer, even if they are provided or made available to the firm by the
customer. Where business is conducted face-to-face, firms should see
originals of any documents involved in the verification. Customers
should be discouraged from sending original valuable documents by
post.
A – DOCUMENTARY EVIDENCE
28
It should be noted that as well as a general expiry date for UK driving licences, the photograph has a separate
expiry date (10 years from first issue). Northern Ireland driving licences have a single expiry date, which is ten
years from date of issue.
90
This can be used to check the validity of passports of any country that
issues machine-readable passports.
B – ELECTRONIC EVIDENCE
5.3.80 Electronic verification may be carried out by the firm either direct, using
as its basis the customer’s full name, address and date of birth, or
through an organisation which meets the criteria in paragraphs 5.3.51
and 5.3.52.
5.3.88 Additional measures would also include assessing the possibility that
the customer is deliberately avoiding face-to-face contact. It is therefore
important to be clear on the appropriate approach in these
circumstances.
5.3.91 The source(s) of information used to verify that an individual exists may
be different from those sources used to verify that the potential customer
is in fact that individual.
Other considerations
5.3.93 Where the result of the standard verification check gives rise to concern
or uncertainty over identity, or other risk considerations apply, so the
number of matches that will be required to be reasonably satisfied as to
the individual’s identity will increase.
5.3.94 For higher risk customers, the need to have additional information needs
to be balanced against the possibility of instituting enhanced monitoring
(see sections 5.5 and 5.7).
Regulation 6(6) 5.3.95 In the case of an estate of a deceased person in the course of
administration, the beneficial owner is
2005, c 9 5.3.97 Under the Mental Capacity Act 2005 (and related Regulations), the
SI 2007/1253 Court of Protection will be able to make an order concerning a single
decision in cases where a one-off decision is required regarding
someone who lacks capacity. The Court can also appoint a deputy or
deputies (previously referred to as receivers) where it is satisfied that a
series of decisions needs to be made for a person who lacks capacity.
5.3.98 Firms may accept the court documents appointing the deputy, or
concerning a single act, as evidence of identity of the person appointed.
Attorneys
5.3.99 When a person deals with assets under a power of attorney, that person
is also a customer of the firm. Consequently, the identity of holders of
powers of attorney should be verified, in addition to that of the donor.
5.3.101 New Enduring Powers of Attorney are no longer able to be entered into,
but where one has already been registered with the Office of the Public
Guardian, the firm will know that the donor has lost, or is losing,
capacity. A Lasting Power of Attorney cannot be used until it has been
29
1900 c.55. Sections 6 and 7 were amended by the Succession (Scotland) Act 1964 (c.41)
30
http://www.mentalhealthlaw.co.uk/media/Banking_guidance_for_banks_3-4-13.pdf
94
registered, but, subject to any restrictions, this may be done at any time,
including while the donor is still able to manage their affairs.
Therefore, the firm will not necessarily know whether or not the donor
has lost capacity.
5.3.104 One of the restrictions that will apply to a product that qualifies for
using the source of funds as evidence will be an inability to make
payments direct to, or to receive payments direct from, third parties. If,
subsequent to using the source of funds to verify the customer’s
identity, the firm decides to allow such a payment or receipt to proceed,
it should verify the identity of the third party. A further restriction
would be that cash withdrawals should not be permitted, other than by
the customers themselves, on a face-to-face basis where identity can be
confirmed.
of customers whose identity may not need to be verified until the time
of redemption.
SYSC 6.3.7 (5) G 5.3.109 The FCA Rules adopt a broad view of financial exclusion, in terms of
Financial Inclusion ensuring that, where people cannot reasonably be expected to produce
Task Force,
December 2010 standard evidence of identity, they are not unreasonably denied access
to financial services. The term is sometimes used in a narrower sense,
for example, the Financial Inclusion Task Force refers to those who, for
specific reasons, do not have access to mainstream banking or financial
services - that is, those at the lower end of income distribution who are
socially/financially disadvantaged and in receipt of benefits, or those
who chose not to seek access to financial products because they believed
that they will be refused.
5.3.110 Firms offering financial services directed at the financially aware may
wish to consider whether any apparent inability to produce standard
levels of identification evidence is consistent with the targeted market
for these products.
5.3.112 The guidance at paragraph 5.3.75 does not require that in all cases a
customer’s address should be verified – the standard verification is
verification of name and a choice between verifying address or date of
birth. Providing the standard evidence of address can be a particular
difficulty for many new arrivals to the UK, and firms should have regard
to this fact in deciding whether, in particular cases, to insist on address
verification, and if so, how this might be satisfied.
person who knows the individual, that indicates that the person is who
he says he is.
5.3.115 An entitlement letter from the DWP, or a letter from the DWP
confirming that the person is in receipt of a pension, could provide
evidence of identity. If this is not available, or is inappropriate, a letter
from an appropriate person, for example, the matron of a care home,
may provide the necessary evidence.
5.3.116 Guidance on dealing with customers who lack, or are losing, capacity to
manage their affairs, covering Powers of Attorney; Court of Protection
Orders; and Appointeeship, are set out in a BBA leaflet, “Guidance for
people wanting to manage a bank account for someone else”, which can
be obtained from the British Bankers’ Association at www.bba.org.uk.
(see also paragraphs 5.3.97 – 5.3.101). Although this leaflet is directed
at banks, its contents have more general application.
Gender reassignment
5.3.117 A firm should satisfy itself (for example, on the basis of documentary
medical evidence) that the gender transfer of a customer is genuine (as
with a change of name). Such cases usually involve transferring a credit
history to a reassigned gender. This involves data protection, not money
laundering issues. The consent of the person involved is necessary.
5.3.118 When opening accounts for students or other young people, the standard
identification requirement should be followed as far as possible (see
paragraphs 5.3.71 – 5.3.107). In practice, it is likely that many students,
and other young people, will have a passport, and possibly a driving
licence. Where the standard requirement would not be relevant,
however, or where the customer cannot satisfactorily meet this, other
evidence could be obtained by obtaining appropriate confirmation(s)
from the applicant’s workplace, school, college, university or care
institution (see UK Border Agency website
http://www.bia.homeoffice.gov.uk/employers/points/ and Part II, sector
1: Retail banking, Annex 1-I). Any confirmatory letter should be on
appropriately headed notepaper; in assessing the strength of such
confirmation, firms should have regard to the period of existence of the
educational or other institution involved, and whether it is subject to
some form of regulatory oversight. UCAS also maintain a database of
students who have confirmed places at a University/Higher Education
establishment, which is accessible on subscription (see
www.ucasmedia.com/).
5.3.119 All international students, other than those from EEA countries or
Switzerland, undergo rigorous checks by the immigration services at
home and abroad in order to be satisfied as to their identity and bona
fides before they are given leave to enter or remain in the UK as a
97
5.3.122 Where a firm has concluded that it should treat a customer as financially
excluded for the purposes of customer identification, and the customer
is identified by means other than standard evidence, the reasons for
doing so should be documented.
5.3.124 In other cases, where the available evidence of identity is limited, and
the firm judges that the individual cannot reasonably be expected to
provide more, but that the business relationship should nevertheless go
ahead, it should consider instituting enhanced monitoring arrangements
over the customer’s transactions and activity (see section 5.7). In
addition, the firm should consider whether restrictions should be placed
98
Regulation 28(4) 5.3.127 In deciding who the beneficial owner is in relation to a customer who is
not a private individual, the firm’s objective must be to know who has
ownership or control over the funds which form or otherwise relate to
the relationship, and/or form the controlling mind and/or management
of any legal entity involved in the funds. Verifying the identity of the
beneficial owner(s) will be carried out on a risk-based approach,
following the guidance in paragraphs 5.3.8 to 5.3.16, and will take
account of the number of individuals, the nature and distribution of their
interests in the entity and the nature and extent of any business,
contractual or family relationship between them.
5.3.128 Firms also have obligations under the UK financial sanctions regime
(see Part III, section 4: Compliance with the UK financial sanctions
regime) which require the collection of information in relation to
trustees, directors or equivalent (see Part III, paragraphs 4.83 – 4.85).
In determining the information to be collected, therefore, firms should
take account of their information needs in relation to sanctions
compliance.
Regulation 27(9)(c) 5.3.130 Where an entity is known to be linked to a PEP (as a result of the PEP
and 33(1)(g) being a beneficial owner of the entity), or to a jurisdiction assessed as
carrying a higher money laundering/terrorist financing risk, it is likely
that this will put the entity into a higher risk category, and that enhanced
due diligence measures should therefore be applied (see sections 5.5 and
5.7).
5.3.131 Many entities, both in the UK and elsewhere, operate internet websites,
which contain information about the entity. Firms should bear in mind
that this information, although helpful in providing much of the material
that a firm might need in relation to the company, its directors and
business, is not independently verified before being made publicly
available in this way.
Regulation 37(3)(a) 5.3.133 In determining whether a business relationship presents a low degree
of risk of ML/TF, and therefore the extent to which it is appropriate to
apply SDD measures, a firm must take into account, inter alia, whether
the customer is a credit institution or a financial institution which is
subject to the requirements in the fourth money laundering directive.
Regulation 37(3) 5.3.134 In their determination of the degree of low risk, firms must also take
into account whether the country where the customer is resident,
established or registered, or in which it operates, is an EEA state or an
assessed low risk jurisdiction.
Regulation 37(1) 5.3.135 If the firm determines that the situation in relation to another regulated
financial services firm presents a low degree of ML/TF risk, simplified
due diligence may be applied (see section 5.4).
100
5.3.137 Firms should record the steps they have taken to check the status of the
other regulated firm.
5.3.138 Firms should take appropriate steps to be reasonably satisfied that the
person they are dealing with is properly authorised by the customer.
5.3.140 Firms should take appropriate steps to be reasonably satisfied that the
person the firm is dealing with is properly authorised by the customer.
Regulation 37(5)(6) 5.3.142 Firms that are subject to the ML Regulations, and, which hold client
money in pooled accounts (whether in a bank account or through a
securities holding), are in principle obliged to verify the identities of
their clients. Financial services firms with which such client accounts
are held are, however, permitted to apply SDD measures to the holders
of such funds, provided that:
➢ information identifying
o its name, registered number and principal place of business;
o its board of directors
o its senior management
o the law to which it is subject
o its legal and beneficial owners;
➢ its articles of association or other governing documents.
5.3.145 The structure, ownership, purpose and activities of the great majority of
corporates will be clear and understandable. Corporate customers can
use complex ownership structures, which can increase the steps that
102
Regulation 28(4)(c) 5.3.146 Control over companies may be exercised through a direct shareholding
or through intermediate holding companies. Control may also rest with
those who have power to manage funds or transactions without
requiring specific authority to do so, and who would be in a position to
override internal procedures and control mechanisms. Firms should
make an evaluation of the effective distribution of control in each case.
What constitutes control for this purpose will depend on the nature of
the company, the distribution of shareholdings, and the nature and
extent of any business or family connections between the beneficial
owners. (More specific guidance on beneficial ownership is given in
Part II, Sector 13: Private equity, paragraphs 13.49-13.52, which may
be of more general interest.)
Regulation 28(2)(b), 5.3.147 To the extent consistent with the risk assessment carried out in
(4)(c) accordance with the guid)ance in Chapter 4, the firm must take
reasonable measures to understand the company’s legal form and
ownership and control structure, and must obtain sufficient additional
information on the nature of the company’s business, and the reasons
for seeking the product or service.
Regulation 5(1) 5.3.148 In the case of a body corporate, other than a company listed on a
regulated market, the beneficial owner includes any individual who:
Regulation 28(3)(a) 5.3.151 The firm must obtain and verify the following information in relation to
the corporate concerned:
➢ full name
➢ registered number
➢ registered office in country of incorporation
➢ principal business address (if different from
the registered office)
Regulation 28(3) 5.3.152 (a) the law to which the corporate is subject;
(b) its constitution (whether set out in its articles of association or other
governing documents);
(c) names of its directors and the senior persons responsible for its
operations.
The firm should verify the information set out in paragraph 5.3.151,
and in (a)-(c) above, from appropriate sources, such as:
5.3.153 Firms should take appropriate steps to be reasonably satisfied that the
person the firm is dealing with is properly authorised by the customer.
Regulation 28(5) 5.3.156 Where the firm has satisfied itself that the customer is:
➢ a company which is listed on a regulated market (within the
meaning of MiFID) in the EEA, or on a non-EEA market that is
subject to specified disclosure obligations; or
➢ a majority-owned and consolidated subsidiary of such a listed
company
the obligation to identify, and to verify the identity of, beneficial
owners, and the obligation to take reasonable steps to determine and
verify the information at 5.3.152 (a)-(c) does not apply (see section 5.4).
Regulation 3(1) 5.3.157 Specified disclosure obligations are disclosure requirements consistent
with specified articles of:
Regulations 3(1) and 5.3.158 If a regulated market is located within the EEA there is no requirement
37(3)(a)(iv) to undertake checks on the market itself. Firms should, however, record
the steps they have taken to ascertain the status of the market. If the
market is outside the EEA, but is one which subjects companies whose
securities are admitted to trading to disclosure obligations which are
contained in international standards and are equivalent to the specified
disclosure obligation in the EU, similar treatment is permitted. For
companies listed outside the EEA on markets which do not meet the
requirements set out in paragraph 5.3.157, the standard verification
requirement for private and unlisted companies should be applied.
5.3.160 Companies that are listed on a regulated market that is not equivalent
and thus where in principle an obligation to verify beneficial owners
remains, are still subject to some degree of accountability and
transparency. As part of their risk-based approach, therefore, firms may
have regard to the listing conditions that apply in the relevant
jurisdiction and the level of transparency and accountability to which
the company is subject in determining the level of checks required and
the extent to which the customer should be treated as a private company
(see paragraphs 5.3.163 - 5.3.176).
5.3.161 Firms should note that AIM is not a regulated market under MiFID.
However, due diligence requirements at admission and ongoing
105
5.3.162 In applying the risk based approach, firms may take into account the
potentially lower risk presented by companies whose shares are traded
as this makes them less likely to be established for money laundering
purposes. However, the firm should, for markets that allow listed
companies to have dominant shareholders (especially where they are
also directors), ensure that such cases are examined more closely.
Regulation 33(1)(g) 5.3.164 Where private companies are well known, reputable organisations, with
long histories in their industries and substantial public information
about them, the standard evidence may well be sufficient to meet the
firm’s obligations. Where a higher risk of money laundering is
associated with the business relationship, however, EDD (and enhanced
monitoring) must be applied.
5.3.165 In the UK, a company registry search (or enquiry of the Charities
Commission in the case of a Charitable Incorporated Organisation) will
confirm that the applicant company has not been, or is not in the process
of being, dissolved, struck off or wound up. In the case of non-UK
companies, firms should make similar search enquiries of the registry in
the country of incorporation of the applicant for business.
5.3.168 Firms may find the sectoral guidance in Part II helpful in understanding
some of the business relationships that may exist between the customer
and other entities in particular business areas.
Directors
Beneficial owners
Regulation 5 5.3.170 As part of the standard evidence, the firm will know the names of all
Regulation 28(4),(9) individual beneficial owners owning or controlling more than 25% of
the company’s shares or voting rights, (even where these interests are
held indirectly) or who otherwise exercise control over the management
of the company. The firm must take reasonable measures to verify the
identity of those individuals (see paragraphs 5.3.8 to 5.3.16). Firms do
not satisfy their obligations to verify the identity of beneficial owners
by relying only on information contained in a PSC register.
Signatories
5.3.171 For operational purposes, the firm is likely to have a list of those
authorised to give instructions for the movement of funds or assets,
along with an appropriate instrument authorising one or more directors
(or equivalent) to give the firm such instructions. The identities of
individual signatories need only be verified on a risk-based approach.
Other considerations
Regulation 33(1)(g) 5.3.173 The standard evidence is likely to be sufficient for most corporate
customers. If, however, the customer, or the product or delivery
107
5.3.174 Higher risk corporate customers may also be, among others, smaller and
more opaque entities, with little or no industry profile and those in less
transparent jurisdictions, taking account of issues such as their size,
industry profile, industry risk.
Bearer shares
5.3.175 Extra care must be taken in the case of companies with capital in the
form of bearer shares, because in such cases it is often difficult to
identify the beneficial owner(s). Companies that issue bearer shares are
frequently incorporated in high risk jurisdictions. Firms should adopt
procedures to establish the identities of the holders and material
beneficial owners of such shares and to ensure that they are notified
whenever there is a change of holder and/or beneficial owner.
Regulation 5(3) 5.3.178 The beneficial owner of a partnership (other than a limited liability
partnership) is any individual who ultimately is entitled to or controls
(whether the entitlement or control is direct or indirect) more than a 25%
share of the capital or profits of the partnership, or more than 25% of
the voting rights in the partnership, or who otherwise exercise ultimate
control over the management of the partnership.
5.3.179 The firm should obtain the following standard evidence in relation to
the partnership or unincorporated association:
➢ full name
➢ business address
➢ names of all partners/principals who exercise
control over the management of the
partnership
➢ names of individuals who own or control over
25% of its capital or profit, or of its voting
rights
5.3.181 The firm’s obligation is to verify the identity of the customer using
evidence from a reliable source, independent of the customer. Where
partnerships or unincorporated businesses are well known, reputable
organisations, with long histories in their industries, and with substantial
public information about them and their principals and controllers,
confirmation of the customer’s membership of a relevant professional
or trade association is likely to be able to provide such reliable and
independent evidence. This does not obviate the need to verify the
identity of the partnership’s beneficial owners.
5.3.182 As part of the standard evidence, the firm will know the names of all
individual beneficial owners owning or controlling more than 25% of
the partnership’s capital or profit, or its voting rights or who otherwise
exercise control over the management of the partnership. The firm must
take reasonable measures to verify the identity of those individuals (see
paragraphs 5.3.8 to 5.3.16).
5.3.185 Firms should take appropriate steps to be reasonably satisfied that the
person the firm is dealing with is properly authorised by the customer.
Other considerations
5.3.190 It is important to know and understand any associations the entity may
have with other jurisdictions (headquarters, operating facilities,
branches, subsidiaries, etc) and the individuals who may influence its
operations (political connections, etc). A visit to the place of business
may be helpful to confirm the existence and activities of the business.
Public sector bodies, governments, state-owned companies and supranationals (other than
sovereign wealth funds)
Regulation 37(3) 5.3.192 In respect of customers which are UK or overseas governments (or their
representatives), supranational organisations, government departments,
110
5.3.194 Firms should obtain the following information about customers who are
public sector bodies, governments, state-owned companies and
supranationals:
5.3.195 Firms should take appropriate steps to understand the ownership of the
customer, and the nature of its relationship with its home state authority.
5.3.196 Firms should, where appropriate, verify the identities of the directors (or
equivalent) who have authority to give the firm instructions concerning
the use or transfer of funds or assets.
5.3.197 Firms should take appropriate steps to be reasonably satisfied that the
person the firm is dealing with is properly authorised by the customer.
Signatories
5.3.198 For operational purposes, the firm is likely to have a list of those
authorised to give instructions for the movement of funds or assets,
along with an appropriate instrument authorising one or more directors
(or equivalent) to give the firm such instructions. The identities of
individual signatories need only be verified on a risk-based approach.
5.3.200 For independent schools and colleges, firms should refer to the guidance
given at paragraph 5.3.253.
Other considerations
5.3.206 Notwithstanding the different forms that SWFs can take, a large
proportion of them are participants in the International Forum of
Sovereign Wealth Funds (IFSWF).
5.3.207 The IFSWG was established in April 2009 (succeeding the previous
International Working Group) to develop a common set of voluntary
31
International Forum of Sovereign Wealth Funds www.ifswf.org
112
5.3.208 A general concern exists that SWFs are capable of being used to meet
political, rather than purely financial objectives, by acquiring
controlling interests in strategically important industries or destabilising
economies. For this reason, understanding the nature of purpose of the
SWF and the relationship or transaction is a key AML/CTF control and
important to the reputation of the firm. Firms should be alert to
activities that might give rise to an asset freezing order where UK
interests are at stake.
5.3.209 The firm should consider the international reputation of the country
and/or SWF concerned (see the Transparency International website
www.transparency.org for some helpful resources), before entering into
a relationship with the fund. Moreover, financial sanctions may be in
force against a country that operates an SWF and must be observed
irrespective of whether or not the country is a member of the IWG.
5.3.211 SWFs are constituted in a variety of ways. Usually, however, they take
one of the following forms:
This means that CDD must be tailored according to the nature of the
SWF. A fundamental feature, however, is that the beneficial owner of
a SWF is the government concerned.
5.3.213 The following information should be obtained about the identity of the
SWF and its officers:
5.3.214 The objectives in terms of identification are to establish that the SWF
exists, that it is owned and controlled by a government and that the
individuals with whom the firm has contact in connection with
establishing the relationship are bona fide representatives of the fund.
5.3.215 For the purposes of establishing that an SWF exists, reference should
normally be made to Appendix II to the Santiago Principles (see
paragraph 5.3.207), to confirm that it is represented on the IFSWF as a
full or observer member. Additional steps will be required if the fund
is not an IFSWF member.
5.3.216 Firms should, where appropriate, verify the identities of the directors (or
equivalent) who have authority to give the firm instructions concerning
the use or transfer of funds or assets and take steps to be reasonably
satisfied that the person(s) the firm is dealing with is properly authorised
by the SWF.
5.3.218 For operational purposes, the firm is likely to have a list of those
authorised to give instructions for the movement of funds or assets,
along with an appropriate instrument authorising one or more directors
(or equivalent) to give the firm such instructions. The identities of
individual signatories need only be verified on a risk-based approach.
Particular care should be exercised if there is a change of government
to ensure that the firm is clear as to the individuals authorised to act for
the SWF.
Beneficial ownership
5.3.219 SWFs are created to manage the wealth or financial resources at national
level so there will be no natural person that has any beneficial interest.
The constitutional documents should make this clear.
5.3.220 Given the concern that surrounds SWFs (see paragraph 5.3.216), and
the fact that those who control them, and perhaps the firm's mandate,
are likely in many cases to be PEPs, the firm needs to consider the nature
and purpose of various aspects, including:
Regulation 33(1)(g) 5.3.221 Each firm’s processes should take into account any PEP beneficial
ownership of an SWF, and, on a risk-assessed basis, require a person
from senior management and independent from the officer sponsoring
the relationship to approve the establishment of the relationship. For
higher risk relationships, the firm's compliance (or MLRO) function
should also satisfy itself that the risks are acceptable.
5.3.222 The purpose of the SWF should be evident from its constitutional
documentation and elsewhere. Note that one of Santiago Principles
(GAPP 2) is that the purpose of the fund should be clearly defined and
publicly disclosed.
5.3.223 The reasons for using the firm's services need to be understood. For
example, investment management mandates are likely to be similar to
other institutional mandates and should be questioned if they are
unusually focused towards particular sectors, having regard (if
appropriate) to the fact that the firm may be managing a specific tranche
of the overall fund.
Other considerations
5.3.227 If a country is not a member of the IFSWF or does not subscribe to the
Santiago Principles, it may be more difficult to obtain information about
its constitution and objectives. In these circumstances, the firm must
determine what further information, if any, it requires, bearing in mind
the need to apply a risk-based approach. For example the firm should
understand there may be increased risk that the origins of the fund are
corrupt or the funds’ purpose constitutes a potential threat in connection
with terrorism or economic manipulation.
Pension schemes
5.3.228 UK pension schemes can take a number of legal forms. Some may be
companies limited by guarantee; some may take the form of trusts;
others may be unincorporated associations. Many register with HMRC
115
5.3.230 For such a scheme, therefore, the firm need only satisfy itself that the
customer qualifies for simplified due diligence in this way.
Regulation 6(4)(b)(ii) 5.3.231 For a scheme that takes the form of a trust, an individual does not qualify
as a beneficial owner through having control solely as a result of
discretion delegated to him under s 34 of the Pensions Act 1995.
5.3.232 Where a pension scheme does not meet the criteria in paragraph 5.3.229,
and therefore the firm is not able to determine that simplified due
diligence measures may be applied, but has HMRC or Pensions
Regulator registration, a firm’s identification and verification
obligations may be met by confirming the scheme’s registration, as
described in paragraph 5.3.228.
Signatories
5.3.234 For operational purposes, the firm is likely to have a list of those
authorised to give instructions for the movement of funds or assets,
116
Other considerations
Payment of benefits
5.3.238 Charities have their status because of their purposes, and can take a
number of legal forms. Some may be companies limited by guarantee,
a Charitable Incorporated Organisation under the Charities
Commission, or incorporated by Royal Charter or by Act of Parliament;
some may take the form of trusts; others may be unincorporated
associations.
Regulation 6(1) 5.3.240 If the charity takes the form of a trust, it has no legal personality and its
trustees have control and management over its affairs. In relation to a
trust, the ML Regulations define the settlor (where one exists) and
trustees as beneficial owners. Where there is a large number of trustees
the firm may take a risk-based approach to determining on how many,
and which, in respect of whom the firm should carry out full CDD
measures. (see paragraphs 5.3.258ff.)
5.3.241 If the charity takes the form of an unincorporated association, it also has
no legal personality. Its officers, or members of its governing body, are
117
then the firm’s customers, on whom the firm must carry out full CDD
measures. (see paragraphs 5.3.283ff.)
5.3.243 For the vast majority of charities, either there will be no individual who
is a beneficial owner (apart from the trustees) within the meaning of the
ML Regulations, or at most a class of persons who stand to benefit from
the charity’s objects must be identified. These persons will be self-
evident from a review of the charity’s objects in its constitution or the
extract from the Register of Charities.
5.3.245 Neither the Charity Commissioners, nor judges of courts (who may
exercise powers over charities) fall within the definition of controllers
for these purposes.
5.3.246 The firm should obtain the following in relation to the charity or church
body:
5.3.247 The existence of the charity can be verified from a number of different
sources, depending on whether the charity is registered or not, a place
of worship or an independent school or college.
Charities (exception 5.3.251 Certain church bodies are excepted by law from registering as charities
from Registration) and may not therefore have a registered number. For tax purposes,
Regulations 1996
however, they may notify HMRC of their charitable status; verification
Registered Places of of their status may be met by having sight of HMRC’s confirmation of
Worship Act 1855 the church’s application for charitable status. The identity of individual
churches may be verified through the headquarters or regional
organisation of the denomination, or religion.
5.3.254 Firms should take appropriate steps to be reasonably satisfied that the
person the firm is dealing with is properly authorised by the customer.
119
Other considerations
5.3.255 In assessing the risks presented by different charities, a firm might need
to make appropriate distinction between those with a limited
geographical remit, and those with unlimited geographical scope, such
as medical and emergency relief charities.
5.3.256 If they have a defined area of benefit, charities are only able to expend
their funds within that defined area. If this area is an overseas country
or jurisdiction, the charity can quite properly be transferring funds to
that country or jurisdiction. It would otherwise be less clear why the
organisation should be transferring funds to a third country (which may,
within the general context of the firm’s risk assessment have a lower
profile) and this would therefore be unusual. Such activity would lead
to the charity being regarded as higher risk.
5.3.258 There is a wide variety of trusts, ranging from large, nationally and
internationally active organisations subject to a high degree of public
interest and quasi-accountability, through trusts set up under
testamentary arrangements, to small, local trusts funded by small,
individual donations from local communities, serving local needs. It is
important, in putting proportionate AML/CTF processes into place, and
in carrying out their risk assessments, that firms take account of the
different money laundering or terrorist financing risks that trusts of
different sizes, areas of activity and nature of business being conducted,
present.
5.3.259 For trusts or foundations that have no legal personality, those trustees
(or equivalent) who enter into the business relationship with the firm, in
their capacity as trustees of the particular trust or foundation, are the
firm’s customers on whom the firm must carry out full CDD measures.
Following a risk-based approach, in the case of a large, well known and
accountable organisation firms may limit the trustees considered
customers to those who give instructions to the firm. Other trustees will
be verified as beneficial owners, following the guidance in paragraphs
5.3.8 to 5.3.16.
5.3.260 Most trusts are not separate legal persons, and for AML/CTF purposes
should be identified as described in paragraphs 5.3.267 to 5.3.271.
120
Regulation 6(1), 5.3.261 The ML Regulations specify that a beneficial owner of a relevant trust
42(2)(b) means each of the following
➢ the settlor;
➢ the trustees;
➢ the beneficiaries, or where the individuals benefiting from the trust
have not been determined, the class of persons in whose main
interest the trust is set up, or operates.
Regulation 6(3) 5.3.262 In relation to a foundation or other legal arrangement similar to a trust,
the beneficial owners are those who hold equivalent or similar positions
to those set out in paragraph 5.3.261.
Regulation 6(1)(a)(b) 5.3.263 In exceptional cases where persons other than trustees, the settlor and
beneficiaries exercise control over the trust property, they are to be
considered as beneficial owners. Examples of such persons may include
trust protectors.
Regulation 42(2)(b) 5.3.264 For the vast majority of relevant trusts, either there will be clearly
identified beneficiaries (who are beneficial owners within the meaning
of the ML Regulations), or a class of beneficiaries. These persons will
be self-evident from a review of the trust’s constitution.
Regulation 6(6),(7) 5.3.266 In relation to a legal entity or legal arrangement which is not a trust the
beneficial owners (see paragraph 5.3.262) are:
5.3.267 In respect of trusts, the firm should obtain the following information:
121
Regulation 28(2), 5.3.268 The identity of the trust must be verified on the basis of documents or
(4)(c) information obtained from a reliable source which is independent of the
customer. This may require sight of relevant extracts from the trust deed,
or reference (subject to paragraph 5.3.270) to an appropriate register in
the country of establishment. The firm must take reasonable measures
to understand the ownership and control structure of the customer.
Beneficial owners
Regulation 6(1)(a)(b) 5.3.269 The ML Regulations specify that the trustees, beneficiaries and settlor
of a trust are beneficial owners. In exceptional cases where persons
other than trustees, the settlor and beneficiaries exercise control over the
trust property, they are to be considered as beneficial owners. Examples
of such persons may include trust protectors.
Regulation 28(9) 5.3.270 The identities of other beneficial owners (e.g., certain beneficiaries),
either individuals or a class, as appropriate, must also be verified (see
paragraphs 5.3.8 to 5.3.16). Firms do not satisfy their obligations to
verify the identity of beneficial owners by relying only on information
contained in a register.
Regulation 6(1) 5.3.271 Where there is a large number of trustees the firm may take a risk-based
approach to determining on how many, and which, in respect of whom
the firm should carry out full CDD measures. (see paragraphs
5.3.258ff.)
5.3.272 Firms should take appropriate steps to be reasonably satisfied that the
person the firm is dealing with is properly authorised by the customer.
Some consideration should be given as to whether documents relied
upon are forged. In addition, if they are in a foreign language,
appropriate steps should be taken to be reasonably satisfied that the
documents in fact provide evidence of the customer’s identity.
Other considerations
5.3.274 Firms should make appropriate distinction between those trusts that
serve a limited purpose (such as inheritance tax planning) or have a
limited range of activities and those where the activities and connections
122
Regulation 33(1)(g) 5.3.276 Where a situation is assessed as carrying a higher risk of money
laundering or terrorist financing, the firm must carry out a higher level
of verification. Information that might be appropriate to ascertain for
higher risk situations includes:
5.3.279 Foundations feature in a number of EEA member state and other civil
law jurisdictions including, notably, Liechtenstein and Panama. The
term is also used in the UK and USA in a looser sense, usually to refer
to a charitable organisation of some sort. In the UK and USA, entities
referred to as foundations will frequently be legal entities rather than
legal arrangements.
123
5.3.280 The nature of a civil law foundation should normally be well understood
by firms, or their subsidiaries or branches, operating in the jurisdiction
under whose laws the foundation has been set up. Where a foundation
seeks banking or other financial services outside its home jurisdiction,
firms will need to be satisfied that there are legitimate reasons for doing
so and to establish the statutory requirements within the specific home
jurisdiction for setting up a foundation. So far as possible, comparable
information should be obtained as indicated in paragraph 5.3.267 for
trusts, including the identity of the founder and beneficiaries (who may
include the founder), whose identity should be verified as necessary on
similar risk-based principles.
5.3.281 Where the founder’s identity is withheld, firms will need to exercise
caution and have regard to the standing of any intermediary and the
extent of assurances that may be obtained from them to disclose
information on any parties concerned with the foundation in response to
judicial demand in the firm’s own jurisdiction. Liechtenstein
foundations, for example, are generally established on a fiduciary basis
through a licensed trust company to preserve the anonymity of the
founder, but the trust companies are themselves subject to AML laws.
5.3.282 Whilst firms may conclude on the basis of their due diligence that the
request for facilities is acceptable, they should bear in mind that terms
like ‘foundation’, ‘stiftung’, ‘anstalt’ are liable to be hijacked by prime
bank instrument fraudsters to add spurious credibility to bogus
investment schemes.
5.3.283 There is a wide variety of clubs and societies, ranging from large,
nationally and internationally active organisations subject to a high
degree of public interest and quasi-accountability, to small, local clubs
and societies funded by small, individual donations or subscriptions
from local communities, serving local needs. It is important, in putting
proportionate AML/CTF processes into place, and in carrying out their
risk assessments, that firms take account of the different money
laundering or terrorist financing risks that clubs and societies of
different sizes, areas of activity and nature of business being conducted,
present.
5.3.285 Many local clubs and societies are small, with limited resources, and it
is important to apply identity verification requirements that are
appropriate in the context of the financial crime risk presented by the
club or society. This might be particularly relevant in deciding which
of the trustees or office holders should be made subject to identity
verification.
124
5.3.286 For the vast majority of clubs and societies, either there will be no
individual who is a beneficial owner within the meaning of the ML
Regulations, or at most a class of persons who stand to benefit from the
club or society’s objects must be identified. These persons will be self-
evident from a review of the club or society’s objects in its constitution.
5.3.287 For many clubs and societies, the money laundering or terrorist
financing risk will be low. The following information should be
obtained about the customer:
5.3.288 The firm should verify the identities of the officers who have authority
to operate an account or to give the firm instructions concerning the use
or transfer of funds or assets.
5.3.289 Firms should take appropriate steps to be reasonably satisfied that the
person the firm is dealing with is properly authorised by the customer.
Other considerations
5.3.292 The firm’s risk assessment may lead it to conclude that the money
laundering or terrorist financing risk is higher, and that it should require
additional information on the purpose, funding and beneficiaries of the
club or society.
Regulation 37(1) 5.4.1 A firm may apply SDD measures in relation to a particular business
relationship or transaction if it determines that, taking into account its
125
Regulation 37 5.4.2 When assessing whether there is a low degree of risk of ML/TF in a
(particular situation, and the extent to which it is appropriate to apply
3
)SDD measures in that situation, a firm must take account of at least the
3following risk factors:
7
( (i) Whether the customer is –
3
)
o a public administration, or a publically owned enterprise
( 5.3.192/193
5 o an individual resident in a geographical area of low risk
) o a credit or financial institution subject to the
requirements in the fourth money laundering directive
(see paragraph 5.3.133)
o a company listed on a regulated market (see paragraph
5.3.155)
o firms holding a pooled account (see paragraph 5.3.142)
(ii) certain life assurance and e-money products (see Part II, sectors
7 and 3)
(iii) certain pension funds (see paragraphs 5.4.4 and 5.3.228ff)
(iv) Child Trust Funds and Junior ISAs (see paragraphs 5.4.5 - 5.4.7)
Regulation 37(7) 5.4.3 Annex 5-III to this chapter sets out suggested Risk Factor Guidelines on
Simplified Due Diligence, consistent with those issued jointly by the
European Supervisory Authorities32, to which firms must have regard.
Regulation 5.4.4 Subject to an assessment of the ML/TF risk presented, SDD measures
37(3)(b)(iii) may be applied to pension, superannuation or similar schemes which
provide retirement benefits to employees, where contributions are made
by an employer or by way of deduction from an employee’s wages and
the scheme rules do not permit the assignment of a member’s interest
under the scheme.
Regulation 5.4.5 SDD measures may be applied to Child Trust Funds and Junior ISAs. .
37(3)(b)(vi)(vii)
5.4.6 In respect of Junior ISAs, although SDD measures may be applied, firms
will, however, in due course need to verify identity at the point the child
reaches 18 years and becomes entitled to the funds, or at the next
‘trigger’ event thereafter (unless the child’s identity has by then already
been verified for the purposes of some other relationship).
5.4.7 With Junior ISAs, the child is able to manage the account from the age
of 16, in which case the firm might choose to undertake customer due
diligence at that stage in order to avoid delaying any transaction the
child should wish to undertake on reaching 18, when the account
becomes a ‘full’ ISA. It is recommended that firms indicate in their
product literature etc. what their policy will be when, for example, the
child reaches 16 or 18.
32
These Guidelines were published on 26 June 2017, to take effect by 26 June 2018. See
https://www.eba.europa.eu/documents/10180/1890686/Final+Guidelines+on+Risk+Factors+%28JC+2017+37%2
9.pdf
126
Regulation 28(11) 5.4.9 A determination that SDD measures may be applied in a particular
POCA s330 (2)(b) situation does not remove the obligation to conduct ongoing
Terrorism Act s 21A
monitoring of the business relationship, although the extent of this may
be adjusted to reflect its determination of the low degree of ML/TF risk.
Such determination does not affect the duty to report knowledge or
suspicion of money laundering or terrorist financing.
Regulation 33 (1)(g) 5.5.1 A firm must apply EDD measures on a risk-sensitive basis in any
situation which by its nature can present a higher risk of money
laundering or terrorist financing. As part of this, a firm may conclude,
under its risk-based approach, that the information it has collected as
part of the customer due diligence process (see section 5.3) is
insufficient in relation to the money laundering or terrorist financing
risk, and that it must obtain additional information about a particular
customer, the customer’s beneficial owner, where applicable, and the
purpose and intended nature of the business relationship.
➢ to inform its risk assessment process, and thus manage its money
laundering/terrorist financing risks effectively; and
5.5.6 When someone becomes a new customer, or applies for a new product
or service, or where there are indications that the risk associated with an
existing business relationship might have increased, the firm should,
depending on the nature of the product or service for which they are
applying, request information as to the customer’s residential status,
employment and salary details, and other sources of income or wealth
(e.g., inheritance, divorce settlement, property sale), in order to decide
whether to accept the application or continue with the relationship. The
firm should consider whether, in some circumstances, evidence of
source of wealth or income should be required (for example, if from an
inheritance, see a copy of the will). The firm should also consider
whether or not there is a need to enhance its activity monitoring in
respect of the relationship. A firm should have a clear policy regarding
the escalation of decisions to senior management concerning the
acceptance or continuation of high-risk business relationships.
5.5.7 The availability and use of other financial information held is important
for reducing the additional costs of collecting customer due diligence
information and can help increase a firm’s understanding of the risk
associated with the business relationship. Where appropriate and
practical, therefore, and where there are no data protection restrictions,
firms should take reasonable steps to ensure that where they have
customer due diligence information in one part of the business, they are
able to link it to information in another.
5.5.8 At all times, firms should bear in mind their obligations under the Data
Protection Act only to seek information that is needed for the declared
purpose, not to retain personal information longer than is necessary,
and to ensure that information that is held is kept up to date.
Regulation 33(1) 5.5.9 In addition to the general obligation, referred to in paragraph 5.5.1, to
apply EDD measures, the ML Regulations prescribe six specific
circumstances in respect of which EDD measures must be applied.
These are:
➢ in any case identified by the firm under its risk assessment (or in
information provided by the supervisory authorities) where there is
a high risk of ML/TF;
➢ in any business relationship or transaction with a person established
in a high risk third country;
➢ in relation to correspondent relationships with a non-EEA credit or
financial institution (see Part II, sector 16: Correspondent
relationships);
➢ if a firm has determined that a customer or potential customer is a
PEP, or a family member or known close associate of a PEP (see
paragraphs 5.5.13ff);
➢ in any case where a customer has provided false or stolen
identification documents or information on establishing a
relationship;
128
Regulation 33(2) 5.5.10 The obligation to apply EDD measures does not apply when the
customer is a branch or majority owned subsidiary undertaking located
in a high risk country of an entity which is established in an EEA state
and subject to the obligations in the fourth money laundering directive
as an obliged entity, if -
Regulation 33(3) 5.5.11 A ‘high risk third country’ means a country which has been identified
by the Commission under the fourth money laundering directive as a
high risk country. The Commission adopted Delegated Regulation
2016/1675 in July 2016. See http://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=uriserv%3AOJ.L_.2016.254.01.0001.01.ENG.
Regulation 33(8) 5.5.12 Annex 5-IV to this chapter sets out suggested Risk Factor Guidelines on
Enhanced Due Diligence, consistent with those issued jointly by the
European Supervisory Authorities33, to which firms must have regard.
Regulation 35(3)(a) 5.5.13 Individuals who have, or have had, a high political profile, or hold, or
have held, public office, can pose a higher money laundering risk to
firms as their position may make them vulnerable to corruption. This
risk also extends to members of their immediate families and to known
close associates. PEP status itself does not, of course, incriminate
individuals or entities. It does, however, put the customer, or the
beneficial owner, into a higher risk category. The level of risk
associated with any PEP, family member or close associate (and the
extent of EDD measures to be applied) must be considered on a case-
by-case basis.
Regulation 35(4)(b) 5.5.14 The FCA is required to give guidance to the firms it supervises in
48 relation to the EDD measures required under the ML Regulations in
respect of PEPs, their family members and known close associates.
Firms should have regard to this guidance.
Regulation 35(12)(a) 5.5.15 A PEP is defined as an individual who is entrusted with prominent
public functions, other than as a middle-ranking or more junior official.
33
These Guidelines were published on 26 June 2017, to take effect by 26 June 2018. See
https://www.eba.europa.eu/documents/10180/1890686/Final+Guidelines+on+Risk+Factors+%28JC+2017+37%2
9.pdf
129
Regulation 35(9) 5.5.16 Under the definition of a PEP the obligation to apply EDD measures to
an individual ceases after he has left office for one year, or for such
longer period as the firm considers appropriate, in order to address risks
of ML/TF in relation to that person.
Regulation 35(14) 5.5.17 Individuals entrusted with prominent public functions include:
5.5.18 Public functions exercised at levels lower than national should normally
not be considered prominent. However, when their political exposure
is comparable to that of similar positions at national level, for example,
a senior official at state level in a federal system, firms should consider,
on a risk-based approach, whether persons exercising those public
functions should be considered as PEPs.
Regulation 35(11) 5.5.21 A firm is no longer obliged to apply EDD measures to family members
or close associates of a PEP when the PEP is no longer entrusted with a
prominent public function, whether or not the period in paragraph 5.5.16
has expired.
Regulation 35(15) 5.5.22 For the purpose of deciding whether a person is known to be a close
associate of a PEP, the firm need only have regard to any information
130
Regulation 35(1), (5) 5.5.23 Firms are required, on a risk-sensitive basis, to:
Risk-based procedures
5.5.24 The nature and scope of a particular firm’s business will generally
determine whether the existence of PEPs in their customer base is an
issue for the firm, and whether or not the firm needs to screen all
customers for this purpose. In the context of this risk analysis, it would
be appropriate if the firm’s resources were focused in particular on
products and transactions that are characterised by a high risk of money
laundering.
Regulation 35(3) 5.5.25 Firms should take a proportional, risk-based and differentiated approach
35(4)(b) to conducting transactions or business relationships with PEPs,
depending on where they are assessed on the scale of risk.
Regulation 35(3), (4) 5.5.27 In order to determine how to assess individual customers for PEP
purposes, firms’ analysis should therefore employ an appropriate risk-
based approach, to assess where on the PEP continuum an individual
lies. Firms are under a legal requirement to conduct EDD on PEPs, their
family members and known close associates. The levels of money
laundering/terrorist financing risk presented will vary on a case-by-case
basis. The higher up the risk scale a PEP is, the more extensive the EDD
measures that should be carried out. Conversely, in cases lower down
the risk scale, it may be appropriate for firms to take less intrusive and
less exhaustive EDD measures.
131
5.5.28 Where firms need to carry out specific checks, they may be able to rely
on an internet search engine, or consult relevant reports and databases
on corruption risk published by specialised national, international, non-
governmental and commercial organisations. Resources such as the
Transparency International Corruption Perception Index, which ranks
approximately 150 countries according to their perceived level of
corruption, may be helpful in terms of assessing the risk. The IMF,
World Bank and some non-governmental organisations also publish
relevant reports. If there is a need to conduct more thorough checks, or
if there is a high likelihood of a firm having PEPs for customers,
subscription to a specialist PEP database may be an adequate risk
mitigation tool.
Source of wealth
5.5.29 It is for each firm to decide the steps it takes to determine whether a PEP
is seeking to establish a business relationship for legitimate reasons.
Regulation 35(5)(b) 5.5.30 Firms must take adequate measures to establish the source of wealth and
source of funds which are involved in the business relationship in order
to allow the firm to satisfy itself that it does not handle the proceeds
from corruption or other criminal activity. The measures firms should
take to establish the PEP’s source of wealth and the source of funds will
depend on the degree of risk associated with the business relationship,
and where the individual sits on the PEP continuum. Firms should verify
the source of wealth and the source of funds on the basis of reliable and
independent data, documents or information where the risk associated
with the PEP relationship is particularly high.
5.5.31 Firms should, where possible, refer to information sources such as asset
and income declarations, which some jurisdictions expect certain senior
public officials to file and which often include information about an
official’s source of wealth and current business interests34. Firms should
note that not all declarations are publicly available and that a PEP
customer may have legitimate reasons for not providing a copy. Firms
should also be aware that some jurisdictions impose restrictions on their
PEPs’ ability to hold foreign bank accounts or to hold other office or
paid employment.
5.5.32 For PEPs who are assessed as being higher on the scale of risk, firms
could, for example, and when conducting source of wealth checks on
funds from inheritance, request a copy of the relevant will. Where the
wealth/funds of such PEPs originate from the sale of property, firms
could seek evidence of conveyancing.
34
The World Bank has compiled a library on various countries’ laws about disclosure of officials’ income and
assets. See http://publicofficialsfinancialdisclosure.worldbank.org/about-the-library
132
5.5.34 The appropriate level of seniority for sign off should therefore be
determined by the level of increased risk associated with the business
relationship; and the senior manager approving a PEP business
relationship should have sufficient seniority and oversight to take
informed decisions on issues that directly impact the firm’s risk profile,
and not (solely) on the basis that the individual is a PEP. When
considering whether to approve a PEP relationship, senior management
should base their decision on the level of ML/TF risk the firm would be
exposed to if it entered into that business relationship and how well
equipped the firm is to manage that risk effectively.
On-going monitoring
5.5.36 Firms should identify unusual transactions and regularly review the
information they hold to ensure that any new or emerging information
that could affect the risk assessment is identified in a timely fashion.
The frequency of ongoing monitoring and review should be determined
by the level of risk associated with the relationship.
5.6.1 Frequently, a customer may have contact with two or more firms in
respect of the same transaction. This can be the case in both the retail
market, where customers are routinely introduced by one firm to
another, or deal with one firm through another, and in some wholesale
markets, such as syndicated lending, where several firms may
participate in a single loan to a customer.
5.6.2 However, several firms requesting the same information from the same
customer in respect of the same transaction not only does not help in
the fight against financial crime, but also adds to the inconvenience of
the customer. It is important, therefore, that in all circumstances each
firm is clear as to its relationship with the customer and its related
AML/CTF obligations, and as to the extent to which it can rely upon or
otherwise take account of the verification of the customer that another
firm has carried out. Such account must be taken in a balanced way
133
Regulation 39 5.6.4 The ML Regulations expressly permit a firm to rely on another person
to apply any or all of the CDD measures, provided that the other person
is listed in Regulation 39(3) (see paragraph 5.6.6). The relying firm,
however, retains responsibility for any failure to comply with a
requirement of the Regulations, as this responsibility cannot be
delegated.
firm A may rely on firm B to carry out CDD measures, while remaining
ultimately liable for compliance with the ML Regulations.
Regulation 39(2)(a) 5.6.7 Where a firm relies on a third party to carry out CDD measures, it must
immediately obtain from the third party all the information needed to
identify the customer or beneficial owner.
Regulation 39(2)(b) 5.6.8 The firm must enter into arrangements with the firm being relied on
40(6) which:
134
Regulation 39(7)(8) 5.6.9 Nothing in the ML Regulations prevents a firm applying CDD measures
by means of an agent or an outsourcing service provider (but see
paragraphs 5.6.13 to 5.6.16), provided that the arrangements between
the firm and the agent or outsourcing service provider provide for the
firm to remain liable for any failure to apply such measures.
Basis of reliance
5.6.10 For one firm to rely on verification carried out by another firm, the
verification that the firm being relied upon has carried out must have
been based at least on the standard level of customer verification. It is
not permissible to rely on SDD carried out, or any other exceptional
form of verification, such as the use of source of funds as evidence of
identity.
5.6.11 Firms may also only rely on verification actually carried out by the firm
being relied upon. A firm that has been relied on to verify a customer’s
identity may not ‘pass on’ verification carried out for it by another firm.
Regulation 10(2)(a), 5.6.12 Under the ML Regulations, the FCA has the additional responsibility
for supervising the AML/CTF systems and controls in Annex I
Financial Institutions. Such businesses are not regulated by the FCA,
and may not therefore be relied on to carry out CDD measures on behalf
of other firms until such time as this is permitted under the ML
Regulations.
5.6.13 Whether a firm wishes to place reliance on a third party will be part of
the firm’s risk-based assessment, which, in addition to confirming the
third party’s regulated status, may include consideration of matters such
as:
5.6.15 In practice, the firm relying on the confirmation of a third party needs
to know:
135
5.6.16 The third party has no obligation to provide such confirmation to the
product/service provider, and may choose not to do so. In such
circumstances, or if the product/service provider decides that it does not
wish to rely upon the third party, then the firm must carry out its own
CDD measures on the customer.
5.6.17 For a firm to confirm that it has carried out CDD measures in respect of
a customer is a serious matter. A firm must not give a confirmation on
the basis of a generalised assumption that the firm’s systems have
operated effectively. There has to be awareness that the appropriate
steps have in fact been taken in respect of the customer that is the subject
of the confirmation.
Regulation 40(7) 5.6.18 A firm (other than an agent or outsourced service provider) which is
relied on by another person must, if requested by the firm relying on it,
immediately
Regulation 40 (6), (7) 5.6.20 A request to forward copies of any identification and verification data
and other relevant documents on the identity of the customer or
beneficial owner obtained when applying CDD measures, if made,
would normally be as part of a firm’s risk-based customer acceptance
procedures. However, the firm giving the confirmation must be
prepared to provide these data or other relevant documents throughout
the period for which it has an obligation under the Regulations to retain
them.
136
5.6.21 Where a firm makes such a request, and it is not met, the firm will need
to take account of that fact in its assessment of the third party in
question, and of the ability to rely on the third party in the future.
5.6.22 A firm must also document the steps taken to confirm that the firm relied
upon satisfies the requirements in Regulation 39(3). This is particularly
important where the firm relied upon is situated outside the EEA.
5.6.23 Part of the firm’s AML/CTF policy statement should address the
circumstances where reliance may be placed on other firms and how the
firm will assess whether the other firm satisfies the definition of third
party in Regulation 39(3) (see paragraph 5.6.6).
Group introductions
Regulation 39(6) 5.6.24 Where customers are introduced between different parts of the same
financial sector group, entities that are part of the group should be able
to rely on identification procedures conducted by that part of the group
which first dealt with the customer. One member of a group should be
able to confirm to another part of the group that the identity of the
customer has been appropriately verified.
Regulation 39(5) 5.6.25 Where a customer is introduced by one part of a financial sector group
to another, it is not necessary for his identity to be re-verified, provided
that:
➢ the identity of the customer has been verified by the introducing part
of the group in line with AML/CTF standards in the UK, the EU or
an assessed low risk jurisdiction; and
➢ the group entity that carried out the CDD measures can be relied
upon as a third party under Regulation 39(3).
5.6.26 The acceptance by a UK firm of confirmation from another group entity
that the identity of a customer has been satisfactorily verified is
dependent on the relevant records being readily accessible, on request,
from the UK.
Regulation 39 (3) 5.6.28 Whilst a firm may be able to place reliance on another party to apply all
or part of the CDD measures under Regulation 39(3) (see paragraph
5.6.4), it may still wish to receive, as part of its risk-based procedures,
a written confirmation from the third party. This may also be the case,
for example, when a firm is unlikely to have an ongoing relationship
with the third party. Confirmations can be particularly helpful when
137
5.6.31 At one end of the spectrum, one firm may act solely as an introducer
between the customer and the firm providing the product or service,
and may have no further relationship with the customer. The introducer
plays no part in the transaction between the customer and the firm, and
has no relationship with either of these parties that would constitute a
business relationship. This would be the case, for example, in respect
of name-passing brokers in inter-professional markets, on which
specific guidance is given in Part II, sector 19: Name passing brokers
in the inter-professional market.
5.6.32 In these circumstances, where the introducer neither gives advice nor
plays any part in the negotiation or execution of the transaction, the
identification and verification obligations under the ML Regulations lie
with the product/service provider. This does not, of course, preclude
the introducing firm carrying out identification and verification of the
customer on behalf of the firm providing the product or service, as
agent for that firm (see paragraphs 5.6.34 – 5.6.35).
5.6.34 Similarly, where the product/service provider has a direct sales force,
they are part of the firm, whether or not they operate under a separate
group legal entity. The firm is responsible for specifying what is
required, and for ensuring that records of the appropriate verification
evidence taken in respect of the customer are retained.
5.6.37 Where a firm cannot apply simplified due diligence to the intermediary
(see paragraphs 5.4.1ff), the product/service provider is obliged to carry
out CDD measures on the intermediary and, as the intermediary acts for
another, on the underlying customer.
5.6.38 Where the firm takes instruction from the underlying customer, or where
the firm acts on the underlying customer’s behalf (e.g., as a custodian)
the firm then has an obligation to carry out CDD measures in respect of
that customer, although the reliance provisions (see paragraphs 5.6.4ff)
may be applied.
Regulation 28(11) 5.7.1 Firms must conduct ongoing monitoring of the business relationship
with their customers. Ongoing monitoring of a business relationship
includes:
What is monitoring?
5.7.6 Firms should also have systems and procedures to deal with customers
who have not had contact with the firm for some time, in circumstances
where regular contact might be expected, and with dormant accounts or
relationships, to be able to identify future reactivation and unauthorised
use.
5.7.8 Monitoring is not a mechanical process and does not necessarily require
sophisticated electronic systems. The scope and complexity of the
process will be influenced by the firm’s business activities, and whether
the firm is large or small. The key elements of any system are having
up-to-date customer information, on the basis of which it will be
possible to spot the unusual, and asking pertinent questions to elicit the
reasons for unusual transactions or activities in order to judge whether
they may represent something suspicious.
Nature of monitoring
Regulation 33(1), 5.7.12 Higher risk accounts and customer relationships require enhanced
33(5)(d) ongoing monitoring. This will generally mean more frequent or
intensive monitoring.
Manual or automated?
5.7.16 The greater the volume of transactions, the less easy it will be for a firm
to monitor them without the aid of some automation. Systems available
include those that many firms, particularly those that offer credit, use to
141
ANNEX 5-I/1
PRIVATE INDIVIDUAL
Full name of
Customer
Date of Birth
2 CONFIRMATION
meets the standard evidence set out within the Guidance for the UK Financial Sector
issued by JMLSG ; or
exceeds the standard evidence (written details of the further verification evidence taken
are attached to this confirmation).
Signed:
Name:
Position:
Date:
Full Name of
Regulated Firm
(or Sole Trader):
FCA Reference
Number:
144
Explanatory notes
1. A separate confirmation must be completed for each customer (e.g. joint holders, trustee cases and
joint life cases). Where a third party is involved, e.g. a payer of contributions who is different from
the customer, the identity of that person must also be verified, and a confirmation provided.
2. This form cannot be used to verify the identity of any customer that falls into one of the following
categories:
➢ those who are exempt from verification as being an existing client of the introducing firm
prior to the introduction of the requirement for such verification;
➢ those who have been subject to Simplified Due Diligence under the Money Laundering
Regulations; or
➢ those whose identity has been verified using the source of funds as evidence.
145
ANNEX 5-I/2
PRIVATE INDIVIDUAL
Full name of
Customer
Date of Birth
2 CONFIRMATION
We confirm that
(a) the information in section 1 above was obtained by us in relation to the customer;
(b) the evidence we have obtained to verify the identity of the customer meets the requirements of
our national money laundering legislation that implements the EU Money Laundering
Directive, and any relevant authoritative guidance provided as best practice in relation to the
type of business or transaction to which this confirmation relates;
(c) copies of the underlying evidence taken in relation to the verification of the customer’s identity
will, on request from you (or from UK law enforcement agencies or regulators under court
order or relevant mutual assistance procedure), be made available, to the extent that we are
required under local law to retain these records.
Signed:
Name:
Position:
Date:
Full Name of
Regulated Firm:
Jurisdiction:
Name of
Regulator:
Regulator
Reference
Number:
146
Explanatory notes
1. A separate confirmation must be completed for each customer (e.g. joint holders, trustee cases and
joint life cases). Where a third party is involved, e.g. a payer of contributions who is different from
the customer, the identity of that person must also be verified, and a confirmation provided.
2. This form cannot be used to verify the identity of any customer that falls into one of the following
categories:
➢ those who are exempt from verification as being an existing client of the introducing firm
prior to the adoption of our national legislation that implements the EU Money Laundering
Directive
147
ANNEX 5-I/3
CONFIRMATION OF VERIFICATION OF IDENTITY
PRIVATE INDIVIDUAL
Full name of
Customer
Date of Birth
2 CONFIRMATION
We confirm that:
(a) the information in section 1 above was obtained by us in relation to the customer;
(b) the evidence we have obtained to verify the identity of the customer meets the requirements of
local law and regulation;
(c) copies of the underlying evidence taken in relation to the verification of the customer’s identity
will, on request from you (or from UK law enforcement agencies or regulators under court
order or relevant mutual assistance procedure), be made available, to the extent that we are
required under local law to retain these records.
Signed:
Name:
Position:
Date:
Full Name of
Regulated Firm:
Jurisdiction:
Name of
Regulator:
Regulator
Reference
Number:
148
Explanatory notes
1 A separate confirmation must be completed for each customer (e.g. joint holders, trustee cases and
joint life cases). Where a third party is involved, e.g. a payer of contributions who is different from
the customer, the identity of that person must also be verified, and a confirmation provided.
2 This form cannot be used to verify the identity of any customer that falls into one of the following
categories:
➢ those who are exempt from verification as being an existing client of the introducing firm
prior to the adoption of local anti money laundering laws or regulation requiring such
verification; or
➢ those whose identity has not been verified by virtue of the application of a permitted
exemption under local anti money laundering laws or regulation.
149
ANNEX 5-I/4
CONFIRMATION OF VERIFICATION OF IDENTITY
2 CONFIRMATION
I/we confirm that
(a) the information in section 1 above was obtained by me/us in relation to the customer;
(b) the evidence I/we have obtained to verify the identity of the customer: [tick only one]
meets the guidance for standard evidence set out within the guidance for the UK
Financial Sector issued by JMLSG; or
exceeds the standard evidence (written details of the further verification evidence
taken are attached to this confirmation).
Signed:
Name:
Position:
Date:
Full Name of
Regulated Firm
(or Sole Trader):
FCA Reference
Number:
150
Explanatory notes
1. “Relevant company registry” includes other registers, such as those maintained by charity
commissions (or equivalent) or chambers of commerce.
2. This form cannot be used to verify the identity of any customer that falls into one of the following
categories:
➢ those who are exempt from verification as being an existing client of the introducing firm
prior to the introduction of the requirement for such verification;
➢ those who have been subject to Simplified Due Diligence under the Money Laundering
Regulations; or
➢ those whose identity has been verified using the source of funds as evidence.
151
ANNEX 5-I/5
CONFIRMATION OF VERIFICATION OF IDENTITY
CORPORATE AND OTHER NON-PERSONAL ENTITY
INTRODUCTION BY AN EU REGULATED FINANCIAL SERVICES FIRM
1 DETAILS OF CUSTOMER (see explanatory notes below)
2 CONFIRMATION
We confirm that
(a) the information in section 1 above was obtained by us in relation to the customer;
(b) the evidence we have obtained to verify the identity of the customer meets the requirements of
our national money laundering legislation that implements the EU Money Laundering
Directive, and any relevant authoritative guidance provided as best practice in relation to the
type of business or transaction to which this confirmation relates;
(c) copies of the underlying evidence taken in relation to the verification of the customer’s identity
will, in the event of any enquiry from you (or from UK law enforcement agencies or regulators
under court order or relevant mutual assistance procedure), be made available, to the extent
that we are required under local law to retain these records.
Signed:
Name:
Position:
Date:
Full Name of
Regulated Firm:
Jurisdiction:
Name of Regulator:
Regulator
Reference Number:
Explanatory notes
152
1. “Relevant company registry” includes other registers, such as those maintained by charity
commissions (or equivalent) or chambers of commerce.
2. This form cannot be used to verify the identity of any customer that falls into one of the following
categories:
➢ those who are exempt from verification as being an existing client of the introducing firm
prior to the adoption of our national legislation that implements the EU Money Laundering
Directive
153
ANNEX 5-I/6
CONFIRMATION OF VERIFICATION OF IDENTITY
CORPORATE AND OTHER NON-PERSONAL ENTITY
INTRODUCTION BY A NON-EU REGULATED FINANCIAL SERVICES FIRM
(which the receiving firm has accepted as being from an assessed low risk jurisdiction)
1 DETAILS OF CUSTOMER (see explanatory notes below)
Full name of customer
Type of entity
(corporate, trust, etc)
Location of business
(full operating
address)
Registered office in
country of
incorporation
Registered number, if
any (or appropriate)
Relevant company
registry or regulated
market listing
authority
Names* of directors
(or equivalent)
Names* of principal
beneficial owners
(over 25%)
* And dates of birth, if known
2 CONFIRMATION
We confirm that:
(a) the information in section 1 above was obtained by us in relation to the customer;
(b) the evidence we have obtained to verify the identity of the customer meets the requirements of
local law and regulation;
(c) copies of the underlying evidence taken in relation to the verification of the customer’s identity
will, in the event of any enquiry from you (or from UK law enforcement agencies or regulators
under court order or relevant mutual assistance procedure), be made available, to the extent
that we are required under local law to retain these records.
Signed:
Name:
Position:
Date:
Full Name of
Regulated Firm:
Jurisdiction:
Name of
Regulator:
Regulator
Reference
Number:
154
Explanatory notes
1 “Relevant company registry” includes other registers, such as those maintained by charity
commissions (or equivalent) or chambers of commerce.
2 This form cannot be used to verify the identity of any customer that falls into one of the following
categories:
➢ those who are exempt from verification as being an existing client of the introducing firm
prior to the adoption of local anti money laundering laws or regulation requiring such
verification; or
➢ those whose identity has not been verified by virtue of the application of a permitted
exemption under local anti money laundering laws or regulation.
155
ANNEX 5-II/1
CONFIRMATION OF VERIFICATION OF IDENTITY
GROUP INTRODUCTION
PRIVATE INDIVIDUAL
Full name of
Customer
Current Address Previous address if customer has
changed address in the last three months
Date of Birth
2 CONFIRMATION
We confirm that
(a) the verification of the identity of the above customer meets the requirements:
i. of the Money Laundering Regulations 2017, and the guidance for standard evidence set
out within the guidance for the UK Financial Sector issued by JMLSG; or
ii. of our national money laundering legislation that implements the EU Money Laundering
Directive, and any relevant authoritative guidance provided as best practice in relation to
the type of business or transaction to which this confirmation relates; or
iii. of local law and regulation.
(b) copies of the underlying evidence taken in relation to the verification of the customer’s identity
will, in the event of any enquiry from you (or from UK law enforcement agencies or regulators
under court order or relevant mutual assistance procedure), be made available, to the extent
that we are required under local law to retain these records.
Signed:
Name:
Position:
Date:
Explanatory notes
156
1. A separate confirmation must be completed for each customer (e.g. joint holders). Where a third
party is involved, e.g. a payer of contributions who is different from the customer, the identity of
that person must also be verified, and a confirmation provided.
2. This form cannot be used to verify the identity of any customer that falls into one of the following
categories:
➢ those who are exempt from verification as being an existing client of the introducing firm
prior to the introduction of the requirement for such verification;
➢ those whose identity has not been verified by virtue of the application of a permitted
exemption under local anti money laundering law or regulation; or
➢ those whose identity has been verified using the source of funds as evidence.
157
ANNEX 5-II/2
CONFIRMATION OF VERIFICATION OF IDENTITY
GROUP INTRODUCTION
CORPORATE AND OTHER NON-PERSONAL ENTITY
2 CONFIRMATION
We confirm that
(a) the verification of the identity of the above customer meets the requirements:
(i) of the Money Laundering Regulations 2017, and the guidance for standard evidence set
out within the guidance for the UK Financial Sector issued by JMLSG; or
(ii) of our national money laundering legislation that implements the EU Money Laundering
Directive, and any authoritative relevant guidance provided as best practice in relation to
the type of business or transaction to which this confirmation relates; or
(iii) of local law and regulation.
(b) copies of the underlying evidence taken in relation to the verification of the customer’s identity
will, in the event of any enquiry from you (or from UK law enforcement agencies or regulators
under court order or relevant mutual assistance procedure), be made available, to the extent
that we are required under local law to retain these records.
Signed:
Name:
Position:
Date:
Full Name of
Regulated Firm:
Relationship to
receiving firm:
Jurisdiction:
Name of
Regulator:
Regulator
Reference
Number:
Explanatory notes
1. “Relevant company registry” includes other registers, such as those maintained by charity
commissions (or equivalent) or chambers of commerce.
2. This form cannot be used to verify the identity of any customer that falls into one of the following
categories:
➢ those who are exempt from verification as being an existing client of the introducing firm
prior to the introduction of the requirement for such verification;
➢ those whose identity has not been verified by virtue of the application of a permitted
exemption under local anti money laundering law or regulation; or
➢ those whose identity has been verified using the source of funds as evidence.
159
ANNEX 5-III
Firms may apply simplified due diligence (SDD) measures in situations where the ML/TF risk associated
with a business relationship is low. SDD is not an exemption from any of the CDD measures; however,
firms may adjust the amount, timing or type of each or all of the CDD measures in a way that is
commensurate to the low risk they identified.
SDD measures firms may apply include, but are not limited to:
o adjusting the timing of CDD, for example where the product or transaction sought has
features that limit its use for ML/TF purposes, such as:
(i) verifying the customer’s or beneficial owner’s identity during the establishment of
the business relationship; or
(ii) verifying the customer’s or beneficial owner’s identity once transactions exceed a
defined threshold or once a reasonable time limit has lapsed. Firms must make sure
that:
a) this does not result in a de facto exemption from CDD, i.e. firms must ensure
that the customer or beneficial owner’s identity will ultimately be verified;
c) they have systems in place to detect when the threshold or time limit has been
reached; and
d) they do not defer CDD or delay obtaining relevant information about the
customer where applicable legislation does not permit this.
(ii) assuming the nature and purpose of the business relationship because the product
is designed for one particular use only, such as a company pension scheme or a
shopping centre gift card.
(i) accepting information obtained from the customer rather than an independent
source when verifying the beneficial owner’s identity; note that this is not
permitted in relation to the verification of the customer’s identity;
(ii) where the risk associated with all aspects of the relationship is determined to be
very low, relying on the source of funds to meet some of the CDD requirements,
e.g. where the funds are state benefit payments or where the funds have been
transferred from an account in the customer’s name at an EEA firm.
160
o adjusting the frequency of CDD updates and reviews of the business relationship, for example
only when trigger events occur such as the customer looking to take out a new product or
service, or when a certain transaction threshold is reached; firms must make sure that this
does not result in a de facto exemption from keeping CDD information up-to-date.
o adjusting the frequency and intensity of transaction monitoring, for example by monitoring
transactions above a certain threshold only. Where firms choose to do this, they must ensure
that the threshold is set at a reasonable level and that they have systems in place to identify
linked transactions which, taken together, would exceed that threshold.
The information a firm obtains when applying SDD measures must enable the firm to be reasonably
satisfied that the risk associated with the relationship is low. It must also be sufficient to give the firm
enough information about the nature of the business relationship to identify any unusual or suspicious
transactions. SDD does not exempt an institution from reporting suspicious transactions to the FIU.
Where there are indications that the risk may not be low, for example where there are grounds to suspect
that money laundering or terrorist financing is being attempted or where the firm has doubts about the
veracity of the information obtained, SDD must not be applied.
161
ANNEX 5-IV
Unusual transactions
Firms should put in place adequate policies and procedures to detect unusual transactions or patterns of
transactions. Where a firm detects transactions that are unusual because:
o they are larger than what the firm would normally expect based on its knowledge of the customer,
the business relationship or the category to which the customer belongs; or
o they have an unusual or unexpected pattern compared to the customer’s normal activity or the
pattern of transactions associated with similar customers, products or services; or
o they are very complex compared to other, similar transactions by similar customer types, products
or services,
and the firm is not aware of an economic rationale or lawful purpose or doubts the veracity of the
information it has been given, it must apply EDD measures.
These EDD measures should be sufficient to help the firm determine whether these transactions give rise
to suspicion and must at least include:
o taking reasonable measures to understand the background and purpose of these transactions, for
example by establishing the source and destination of the funds or finding out more about the
customer’s business to ascertain the likelihood of the customer making such transactions; and
o monitoring the business relationship and subsequent transactions more frequently and with
greater attention to detail. A firm may decide to monitor individual transactions where this is
commensurate with the risk it has identified.
When dealing with individuals or entities established or residing in a high risk third country identified by
the Commission, and in all other high risk situations, firms should take an informed decision which EDD
measures are appropriate for each high risk situation. The appropriate type of EDD, including the extent
of additional information sought, and of the increased monitoring carried out, will depend on the reason
why a relationship was classified as high risk.
Firms will not need to apply all EDD measures listed below in all cases. For example, in certain high risk
situations it may be appropriate to focus on enhanced ongoing monitoring during the course of the
business relationship.
(i) about the customer’s or beneficial owner’s identity, or the customer’s ownership and
control structure, to be satisfied that the risk associated with the relationship is well
162
known. This may include obtaining and assessing information about the customer’s
or beneficial owner’s reputation and assessing any negative allegations against the
customer or beneficial owner. Examples include:
(ii) about the intended nature of the business relationship, to ascertain that the nature and
purpose of the business relationship is legitimate and to help firms obtain a more
complete customer risk profile. It includes obtaining information on:
a. the number, size and frequency of transactions that are likely to pass through
the account to be able to spot deviations that may give rise to suspicions. In some
cases, requesting evidence may be appropriate;
b. why the customer looks for a specific product or service, in particular where
it is unclear why the customer’s needs cannot be met better in another way, or in
a different jurisdiction;
o increasing the quality of information obtained for CDD purposes to confirm the customer’s or
beneficial owner’s identity including by:
(i) requiring the first payment to be carried out through an account verifiably in the
customer´s name with a bank subject to UK CDD standards; or
(ii) establishing that the customer’s source of wealth and source of funds that are used in
the business relationship are not the proceeds from criminal activity and that they are
consistent with the firm’s knowledge of the customer and the nature of the business
relationship. In some cases, where the risk associated with the relationship is
particularly increased, verifying the source of wealth and the source of funds may be
the only adequate risk mitigation tool. The sources of funds or wealth can be verified,
among others, by reference to VAT and income tax returns, copies of audited
accounts, pay slips, public deeds or independent and credible media reports.
o increasing the frequency of reviews, to be satisfied that the firm continues to be able to manage
the risk associated with the individual business relationship or conclude that it no longer
corresponds to its risk appetite and to help identify any transactions that require further review,
including by:
(i) increasing the frequency of reviews of the business relationship, to ascertain whether
the customer’s risk profile has changed and whether the risk remains manageable;
(ii) obtaining the approval of senior management to commence or continue the business
relationship to ensure senior management are aware of the risk their firm is exposed
to and can take an informed decision about the extent to which they are equipped to
manage that risk;
163
(iii) reviewing the business relationship on a more regular basis to ensure any changes to
the customer’s risk profile are identified, assessed and, where necessary, acted upon;
or
(iv) conducting more frequent or in-depth transaction monitoring to identify any unusual
or unexpected transactions that may give rise to suspicion of money laundering or
terrorist financing. This may include establishing the destination of funds or
ascertaining the reason for certain transactions.
164
CHAPTER 6
➢ Relevant law/regulation
▪ Regulations 19 (4)(d), 21(5) and 24
▪ POCA ss327-340
▪ SI2006/1070 (Exceptions to overseas conduct defence)
▪ Terrorism Act, ss21, 39
▪ Data Protection Act 1998, s7, s29
▪ Financial sanctions legislation
➢ Core obligations
▪ All staff must raise an internal report where they have knowledge or suspicion, or where there
are reasonable grounds for having knowledge or suspicion, that another person is engaged in
money laundering, or that terrorist property exists
▪ The firm’s nominated officer (or their appointed alternate) must consider all internal reports
▪ The firm’s nominated officer (or their appointed alternate) must make an external report to the
National Crime Agency (NCA) as soon as is practicable if he considers that there is knowledge,
suspicion, or reasonable grounds for knowledge or suspicion, that another person is engaged in
money laundering, or that terrorist property exists
▪ The firm must seek consent from the NCA before proceeding with a suspicious transaction or
entering into arrangements
▪ Firms must freeze funds if a customer is identified as being on the Consolidated List on the
HM Treasury website of suspected terrorists or sanctioned individuals and entities, and make
an external report to HM Treasury
▪ It is a criminal offence for anyone, following a disclosure to a nominated officer or to the NCA,
to do or say anything that might either ‘tip off’ another person that a disclosure has been made
or prejudice an investigation
▪ The firm’s nominated officer (or their appointed alternate) must report suspicious approaches,
even if no transaction takes place
➢ Actions required, to be kept under regular review
▪ Enquiries made in respect of disclosures must be documented
▪ The reasons why a Suspicious Activity Report (SAR) was, or was not, submitted should be
recorded
▪ Any communications made with or received from the authorities, including the NCA, in
relation to a SAR should be maintained on file
▪ In cases where advance notice of a transaction or of arrangements is given, the need for prior
consent before it is allowed to proceed should be considered
POCA ss 330, 331 6.1 Persons in the regulated sector are required to make a report in respect
Terrorism Act s 21A of information that comes to them within the course of a business in
the regulated sector:
Regulation 19(4)(d) 6.2 In order to provide a framework within which suspicion reports may
POCA s 330 be raised and considered:
➢ each firm must ensure that any member of staff reports to the firm’s
nominated officer or their appointed alternate35 (who may also be
the MLRO in an FCA-regulated firm), where they have grounds
for knowledge or suspicion that a person or customer is engaged
in, or attempting, money laundering or terrorist financing;
➢ the firm’s nominated officer must consider each such report, and
Regulation 21(5) determine whether it gives grounds for knowledge or suspicion;
➢ firms should ensure that staff are appropriately trained in their
Regulation 24 obligations, and in the requirements for making reports to their
nominated officer.
POCA, s 331 6.3 If the nominated officer determines that a report does give rise to
Terrorism Act s 21A grounds for knowledge or suspicion, he must report the matter to the
NCA. Under POCA, the nominated officer is required to make a report
to the NCA as soon as is practicable if he has grounds for suspicion
that another person, whether or not a customer, is engaged in money
laundering. Under the Terrorism Act, similar conditions apply in
relation to disclosure where there are grounds for suspicion of terrorist
financing.
6.4 A sole trader with no employees who knows or suspects, or where there
are reasonable grounds to know or suspect, that a customer of his, or
the person on whose behalf the customer is acting, is or has been
engaged in, or attempting, money laundering or terrorist financing,
must make a report promptly to the NCA.
POCA ss 333A -334 6.5 It is a criminal offence for any person, following a disclosure to a
Terrorism Act ss 21D- nominated officer or to the NCA, to release information that might ‘tip
H, 39
off’ another person that a disclosure has been made if the disclosure is
likely to prejudice an investigation, if the information released came to
that person in the course of a business in the UK regulated sector. It is
also an offence for a person to disclose that an investigation into
allegations that an offence has been committed is being contemplated
or is being carried out; the disclosure is likely to prejudice that
investigation and the information on which the disclosure is based
came to the person in the course of a business in the regulated sector.
It is also an offence for a person to disclose to another anything which
is likely to prejudice an investigation resulting from a disclosure, or
where the person knows or has reasonable cause to suspect that a
disclosure has been or will be made.
Financial sanctions 6.6 It is a criminal offence to make funds, economic resources or, in certain
legislation circumstances, financial services available to those persons or entities
listed as the targets of financial sanctions legislation (see Part III,
section 4). There is also a requirement to report to OFSI both details
of funds frozen and where firms have knowledge or suspicion that a
customer of the firm or a person with whom the firm has had business
dealings is a listed person or entity, a person acting on behalf of a listed
35
References in this chapter to ‘nominated officer’ should be taken to include ‘or their appointed alternate’ where
applicable.
166
Attempted offences
POCA, s 330 6.7 POCA and the Terrorism Act provide that a disclosure must be made
where there are grounds for suspicion that a person is engaged in money
Terrorism Act
laundering or terrorist financing. “Money laundering” is defined in
s21A(2)
POCA to include an attempt to commit an offence under s327-329 of
POCA. Similarly, under the Terrorism Act a disclosure must be made
where a person has knowledge or suspicion that ‘another person had
committed or attempted to commit an offence under any of the sections
15-18’. There is no duty under s330 of POCA or s21A of the Terrorism
Act to disclose information about the person who unsuccessfully
attempts to commit fraud. This is because the attempt was to commit
fraud, rather than to commit an offence under those Acts.
6.8 However, as soon as the firm has reasonable grounds to know or suspect
that any benefit has been acquired, whether by the fraudster himself or
by any third party, so that there is criminal property or terrorist property
in existence, then, subject to paragraph 6.9, knowledge or suspicion of
money laundering or terrorist financing must be reported to the NCA
(see paragraphs 6.40ff). Who carried out the criminal conduct, and who
benefited from it, or whether the conduct occurred before or after the
passing of POCA, is immaterial to the obligation to disclose, but should
be reported if known.
POCA, s330(3A) 6.9 In circumstances where neither the identity of the fraudster, nor the
location of any related criminal property, is known nor is likely to be
discovered, limited useable information is, however, available for
disclosure. An example of such circumstances would be the theft of a
chequebook, debit card, credit card, or charge card, which can lead to
multiple low-value fraudulent transactions over a short, medium, or
long term. In such instances, there is no obligation to make a report to
the NCA where none of the following is known or suspected:
POCA, s 330 (2),(3), 6.10 Having knowledge means actually knowing something to be true. In a
s 331 (2), (3) criminal court, it must be proved that the individual in fact knew that a
Terrorism Act ss21A,
21ZA, 21ZB person was engaged in money laundering. That said, knowledge can
be inferred from the surrounding circumstances; so, for example, a
failure to ask obvious questions may be relied upon by a jury to imply
knowledge. The knowledge must, however, have come to the firm (or
to the member of staff) in the course of business, or (in the case of a
nominated officer) as a consequence of a disclosure under s 330 of
167
6.11 Suspicion is more subjective and falls short of proof based on firm
evidence. Suspicion has been defined by the courts as being beyond
mere speculation and based on some foundation, for example:
POCA, s 330 (2)(b), 6.15 In addition to establishing a criminal offence when suspicion or actual
s 331 (2)(b) knowledge of money laundering/terrorist financing is proved, POCA
Terrorism Act s 21A
and the Terrorism Act introduce criminal liability for failing to disclose
information when reasonable grounds exist for knowing or suspecting
that a person is engaged in money laundering/terrorist financing. This
introduces an objective test of suspicion. Reasonable grounds for
suspecting are likely to depend upon particular circumstances and the
member of staff should take into account such factors as the
nature/origin of the transaction, how the funds, cash or asset(s) were
discovered, the amounts or values involved, their intended movement
and destination, how the funds cash or asset(s) came into the customer’s
possession, whether the customer(s) and/or the owners of the cash or
asset(s) (if different) appear to have any links with
168
6.16 To defend themselves against a charge that they failed to meet the
objective test of suspicion, staff within financial sector firms would
need to be able to demonstrate that they took reasonable steps in the
particular circumstances, in the context of a risk-based approach, to
know the customer and the rationale for the transaction, activity or
instruction. It is important to bear in mind that, in practice, members of
a jury may decide, with the benefit of hindsight, whether the objective
test has been met.
6.17 Depending on the circumstances, a firm being served with a court order
in relation to a customer may give rise to reasonable grounds for
suspicion in relation to that customer. In such an event, firms should
review the information it holds about that customer across the firm, in
order to determine whether or not such grounds exist.
Internal reporting
Regulation 19(4)(d) 6.18 The obligation to report to the nominated officer within the firm where
POCA s 330(5) they have grounds for knowledge or suspicion of money laundering or
terrorist financing is placed on all relevant employees in the regulated
sector. All financial sector firms therefore need to ensure that all
relevant employees know who they should report suspicions to.
6.19 Firms may wish to set up internal systems that allow staff to consult
with their line manager before sending a report to the nominated officer.
The obligation under POCA is to report ‘as soon as is reasonably
practicable’, and so any such consultations should take this into account.
Where a firm sets up such systems it should ensure that they are not used
to prevent reports reaching the nominated officer whenever staff have
stated that they have knowledge or suspicion that a transaction or
activity may involve money laundering or terrorist financing.
6.21 Short reporting lines, with a minimum number of people between the
person with the knowledge or suspicion and the nominated officer, will
ensure speed, confidentiality and swift access to the nominated officer.
6.24 Until the nominated officer advises the member of staff making an
internal report that no report to the NCA is to be made, further
transactions or activity in respect of that customer, whether of the same
nature or different from that giving rise to the previous suspicion, should
be reported to the nominated officer as they arise.
Non-UK offences
POCA, s 340 (2), (11) 6.25 The offence of money laundering, and the duty to report under POCA,
SOCPA, s 102 apply in relation to the proceeds of any criminal activity, wherever
conducted (including abroad), that would constitute an offence if it took
place in the UK. However, this broad scope excludes activity (other
than those referred to in paragraph 6.26) which the firm, staff member
or nominated officer knows, or believes on reasonable grounds, to have
been committed in a country or territory outside the UK and the activity
was not unlawful under the criminal law then applying in the country or
territory concerned. Firms may nevertheless have an obligation to
report in that overseas country or territory, through an appropriate
overseas reporting officer.
SI 2006/1070 6.26 Offences committed overseas which the Secretary of State has
1968 c 65 prescribed by order as remaining within the scope of the duty to report
1976 c 32
2000 c 8 under POCA are those which are punishable by imprisonment for a
maximum term in excess of 12 months in any part of the United
Kingdom if they occurred there, other than:
Terrorism Act 6.27 The duty to report under the Terrorism Act applies in relation to taking
s21A(11) any action, or being in possession of a thing, that is unlawful under ss
15-18 of that Act, that would have been an offence under these sections
of the Act had it occurred in the UK.
POCA s 331 6.28 The obligation to consider reporting to the NCA applies only when the
POCA ss 327-329 nominated officer has received a report made by someone working
Terrorism Act s 21A
within the UK regulated sector, or when he himself becomes aware of
such a matter in the course of relevant business (which may come from
overseas, or from a person overseas). The nominated officer is not,
therefore, obliged to report everything that comes to his attention from
outside of the UK, although he would be prudent to exercise his
judgement in relation to information that comes to his attention from
non-business sources. In reaching a decision on whether to make a
170
disclosure, the nominated officer must bear in mind the need to avoid
involvement in an offence under ss327-329 of POCA.
Regulation 21(5) 6.29 The firm’s nominated officer must consider each report and determine
whether it gives rise to knowledge or suspicion, or reasonable grounds
for knowledge or suspicion. The firm must permit the nominated officer
to have access to any information, including ‘know your customer’
information, in the firm’s possession which could be relevant. The
nominated officer may also require further information to be obtained,
from the customer if necessary, or from an intermediary who introduced
the customer to the firm, to the extent that the introducer still holds the
information (bearing in mind his own record keeping requirements).
Any approach to the customer or to the intermediary should be made
sensitively, and probably by someone other than the nominated officer,
to minimise the risk of alerting the customer or an intermediary that a
disclosure to the NCA may be being considered.
6.32 If the nominated officer decides not to make a report to the NCA, the
reasons for not doing so should be clearly documented, or recorded
electronically, and retained with the internal suspicion report.
External reporting
Regulation 19(4)(d) 6.33 The firm’s nominated officer must report to the NCA any transaction or
POCA, s 331 activity that, after his evaluation, he knows or suspects, or has
Terrorism Act, s 21A
reasonable grounds to know or suspect, may be linked to money
laundering or terrorist financing, or to attempted money laundering or
terrorist financing. Such reports must be made as soon as is reasonably
practicable after the information comes to him.
171
POCA, s 339 6.34 POCA provides that the Secretary of State may by order prescribe the
form and manner in which a disclosure under s330, s331, s332 or s338
may be made.
6.35 The NCA prefers that SARs are submitted electronically via the secure
internet system SAR Online, or via a dedicated bulk reporting facility.
Information about access to and guidance on the use of SAR Online can
be found at http://www.nationalcrimeagency.gov.uk/about-us/what-we-
do/economic-crime/ukfiu/how-to-report-sars
6.38 Firms should include in each SAR as much relevant information about
the customer, transaction or activity that it has in its records. In
particular, the law enforcement agencies have indicated that details of
an individual’s occupation/company’s business and National Insurance
number are valuable in enabling them to access other relevant
information about the customer. As there is no obligation to collect this
information (other than in very specific cases), a firm may not hold these
details for all its customers; where it has obtained this information in the
course of normal business, however, it would be helpful to include it as
part of a SAR made by the firm. The NCA’s website
(http://www.nationalcrimeagency.gov.uk/about-us/what-we-
do/economic-crime/ukfiu/how-to-report-sars) contains guidance on
completing SARs in a way that gives most assistance to law
enforcement. In particular, the NCA has published a glossary of terms,
and find it helpful if firms use these terms when completing a SAR.
NCA also publish, from time to time, guides to reporting entities.
Financial sanctions 6.39 Firms must report to OFSI details of funds frozen under financial
legislation sanctions legislation and where the firm has knowledge or a suspicion
that the financial sanctions measures have been or are being
contravened, or that a customer is a listed person or entity, or a person
acting on behalf of a listed person or entity. The firm may also need to
consider whether the firm has an obligation also to report under POCA
or the Terrorism Act.
Where to report
6.41 The UKFIU address is PO Box 8000, London, SE11 5EN and it can be
contacted during office hours on: 020 7238 8282. Urgent disclosures,
i.e., those requiring consent, should be transmitted electronically over a
previously agreed secure link or, if secure electronic methods are not
available, by fax, as specified on the NCA website at
www.nationalcrimeagency.gov.uk. Speed of response is assisted if the
appropriate consent request is clearly mentioned in the title of any faxed
report (http://www.nationalcrimeagency.gov.uk/about-us/what-we-
do/economic-crime/ukfiu/how-to-report-sars).
POCA s334 6.43 Where a person fails to comply with the obligation under POCA or the
Terrorism Act s21A Terrorism Act to make disclosures to a nominated officer and/or the
NCA as soon as practicable after the information giving rise to the
knowledge or suspicion comes to the member of staff, a firm is open to
criminal prosecution or regulatory censure. The criminal sanction,
under POCA or the Terrorism Act, is a prison term of up to five years,
and/or a fine.
Financial sanctions 6.44 Where a firm fails to comply with the obligations to freeze funds, not to
legislation make funds, economic resources and, in relation to suspected terrorists,
financial services, available to listed persons or entities or to report
knowledge or suspicion, it is open to prosecution.
Consent
6.45 Care should be taken that the requirement to obtain consent for a
particular transaction does not lead to the unnecessary freezing of a
customer’s account, thus affecting other, non-suspicious transactions.
POCA s 336 6.46 Reporting before or reporting after the event are not equal options which
a firm can choose between. Where a customer instruction is received
prior to a transaction or activity taking place, or arrangements being put
in place, and there are grounds for knowledge or suspicion that the
transaction, arrangements, or the funds/property involved, may relate to
money laundering, a report must be made to the NCA and consent
sought to proceed with that transaction or activity. In such
circumstances, it is an offence for a nominated officer to consent to a
transaction or activity going ahead within the seven working day notice
period from the working day following the date of disclosure, unless the
173
POCA ss 330 (6)(a), 6.47 When a transaction which gives rise to concern is already within an
331(6), 338 (3)(b) automated clearing or settlement system, where a delay would lead to a
breach of a contractual obligation, or where it would breach market
settlement or clearing rules, the nominated officer may need to let the
transaction proceed and report it later. Where the nominated officer
intends to make a report, but delays doing so for such reasons, POCA
provides a defence from making a report where there is a reasonable
excuse for not doing so. However, it should be noted that this defence
is untested by case law, and would need to be considered on a case-by-
case basis.
POCA, s 335, 6.49 In the event that the NCA does not refuse a defence request within
336A, 336C seven working days following the working day after the disclosure is
made, the firm may process the transaction or activity, subject to
normal commercial considerations. If, however, a defence request is
refused within that period, a restraint order must be obtained by the
authorities within a further 31 calendar days (the moratorium period36)
from the day the request is refused, if they wish to prevent the
transaction going ahead after that date. The moratorium period may be
extended, on application by the authorities, by up to 31 days at a time,
to a maximum of 186 further days in total. In cases where a defence
request is refused, the law enforcement agency refusing the request
should be consulted to establish what information can be provided to
the customer.
POCA, s 335(1)(b) 6.50 Granting of a defence request by the NCA (referred to as a ‘notice’ in
POCA), or the absence of a refusal of such a request within seven
working days following the working day after the disclosure is made,
provides the person handling the transaction or carrying out the
activity, or the nominated officer of the reporting firm, with a defence
against a possible later charge of laundering the proceeds of crime in
respect of that transaction or activity if it proceeds.
36
The Criminal Finances Bill currently before Parliament proposes changes to this regime.
174
Terrorism Act s21ZA 6.51 A person does not commit an offence under the Terrorism Act where,
before becoming involved in a transaction or arrangement relating to
money or other property which he suspects or believes is terrorist
property, a report is made to the NCA and consent sought to proceed
with that transaction or arrangement. In such circumstances, it is an
offence for an authorised officer to consent to a transaction or
arrangement going ahead within the seven working day notice period
from the working day following the date of disclosure to the NCA,
unless the NCA gives consent. [Where urgent consent is required, use
should be made of the process referred to in paragraph 6.41 above.]
Terrorism Act s21ZB 6.52 When a transaction which gives rise to concern is already within an
automated clearing or settlement system, where a delay would lead to a
breach of a contractual obligation, or where it would breach market
settlement or clearing rules, the authorised officer may need to let the
transaction proceed and report it later. Where the nominated officer
intends to make a report, but delays doing so for such reasons, the
Terrorism Act provides a defence from making a report where there is
a reasonable excuse for not doing so, so long as the report is made on
his own initiative and as soon as it is reasonably practical for the person
to make it. However, it should be noted that this defence is untested by
case law, and would need to be considered on a case-by-case basis.
Terrorism Act 6.54 In the event that the NCA does not refuse consent within seven working
s21ZA(2) days following the working day after the disclosure is made, the firm
may proceed with the transaction or arrangement, subject to normal
commercial considerations. In cases where consent is refused, the law
enforcement agency refusing consent should be consulted to establish
what information can be provided to the customer.
Terrorism Act 6.55 Consent from the NCA (referred to as a ‘notice’ in the Terrorism Act),
S21ZA(1)-(3) or the absence of a refusal of consent within seven working days
following the working day after the disclosure is made, provides the
person handling the transaction or arrangement, or the nominated
officer of the reporting firm, with a defence against a possible later
charge under the Terrorism Act in respect of that transaction or
arrangement if it proceeds.
175
General
6.56 The consent provisions can only apply where there is prior notice to the
NCA of the transaction or activity; the NCA cannot provide consent
after the transaction or activity has occurred. The receipt of a SAR
after the transaction or activity has taken place will be dealt with as an
ordinary standard SAR, and in the absence of any instruction to the
contrary, a firm will be free to operate the customer’s account under
normal commercial considerations until such time as the LEA
determines otherwise through its investigation.
POCA s 333A (1), (3) 6.60 POCA and the Terrorism Act each contains two separate offences of
Terrorism Act, s 21D tipping off and prejudicing an investigation. The first offence relates to
disclosing that an internal or external report has been made; the second
relates to disclosing that an investigation is being contemplated or is
being carried out. These offences are similar and overlapping, but there
are also significant differences between them. It is important for those
working in the regulated sector to be aware of the conditions precedent
for each offence. Each offence relates to situations where the
information on which the disclosure was based came to the person
making the disclosure in the course of a business in the regulated sector.
176
There are a number of permitted disclosures that do not give rise to these
offences (see paragraphs 6.63 to 6.66).
POCA ss 333A (1), 6.61 Once an internal or external suspicion report has been made, it is a
333D(3) criminal offence for anyone to disclose information about that report
Terrorism Act,
ss 21D(1), 21G(3) which is likely to prejudice an investigation that might be conducted
following that disclosure. An offence is not committed if the person
does not know or suspect that the disclosure is likely to prejudice such
an investigation, or if the disclosure is a permitted disclosure under
POCA or the Terrorism Act. Reasonable enquiries of a customer,
conducted in a tactful manner, regarding the background to a transaction
or activity that is inconsistent with the normal pattern of activity is
prudent practice, forms an integral part of CDD measures, and should
not give rise to the tipping off offence.
Permitted disclosures
POCA s 333D(1) 6.63 An offence is not committed if the disclosure is made to the FCA (or
Terrorism Act, other relevant supervisor) for the purpose of:
s 21G(1)
➢ the detection, investigation or prosecution of a criminal offence
(whether in the UK or elsewhere);
➢ an investigation under POCA; or
➢ the enforcement of any order of a court under POCA.
POCA, s 333B(1) 6.64 An employee, officer or partner of a firm does not commit an offence
Terrorism Act, under POCA, s333A, or the Terrorism Act, s 21A, if the disclosure is to
Ss 21A, 21E(1) an employee, officer or partner of the same firm.
POCA, s 333B(2) 6.65 A person does not commit an offence if the firm making the disclosure
Terrorism Act, and the firm to which it is made belong to the same group (as defined in
s 21E(2) directive 2002/87/EC), and:
POCA s 333C 6.66 A firm does not commit an offence under POCA, s333A or the
Terrorism Act, s Terrorism Act s21D, if the disclosure is from one credit institution to
21F another, or from one financial institution to another, and:
POCA, ss 335, 336 6.67 The fact that a transaction is notified to the NCA before the event, and
Terrorism Act, the NCA does not refuse consent within seven working days following
ss21ZA, ZB the day after the authorized disclosure is made, or a restraint order is not
obtained within the 31 day (or extended) moratorium period, does not
alter the position so far as ‘tipping off’ is concerned.
6.69 The judgement in K v Natwest [2006] EWCA Civ 1039 confirmed the
application of these provisions. The judgement in this case also dealt
with the issue of suspicion stating that the “The existence of suspicion
is a subjective fact. There is no legal requirement that there should be
reasonable grounds for the suspicion. The relevant bank employee
either suspects or he does not. If he does suspect, he must (either
himself or through the Bank’s nominated officer) inform the
authorities.” It was further observed that the “truth is that Parliament has
struck a precise and workable balance of conflicting interests in the 2002
Act”. The Court appears to have approved of the 7 and 31 day scheme
and said that in relation to the limited interference with private rights
that this scheme entails “many people would think that a reasonable
balance has been struck”. A full copy of the judgement is at
http://www.bailii.org/ew/cases/EWCA/Civ/2006/1039.html The
court’s view in this case was upheld in Shah and another v HSBC
Private Bank Ltd [2012] EWHC 1283 (QB). This judgement is at
http://www.bailii.org/ew/cases/EWHC/QB/2012/1283.html.
6.71 The NCA has confirmed that, in such cases, a firm may tell the FOS’s
legal department about a report to the NCA and the outcome, on the
basis that the FOS will keep the information confidential (which they
must do, to avoid any ‘tipping off’). A firm may, however, wish to take
legal advice about what information it should pass on. The FOS’s legal
178
6.72 Firms must remain vigilant for any additional transactions by, or
instructions from, any customer or account in respect of which a
disclosure has been made, and should submit further disclosures, and
consent applications, to the NCA, as appropriate, if the suspicion
remains.
POCA s 339A 6.73 In the case of deposit-taking institutions alone, following the reporting
of a suspicion, any subsequent transactions (including ‘lifestyle’
payments) involving the customer or account which was the subject of
the original report may only proceed if it meets the ‘threshold’
requirement of £250 or less; where the proposed transaction exceeds
£250, permission to vary the ‘threshold’ payment is required from the
NCA before it may proceed.
POCA s339A 6.74 If regular transactions are over this £250 threshold, the deposit taker
can apply to the NCA for a Threshold Variation, and seek permission
to impose a higher threshold on the account for regular payments.
When seeking such a variation, the NCA requires the deposit taker to
specify what ‘lifestyle’ payments are to be paid, which named account
they are coming from and going to, and to specify the amount for each
transaction.
POCA, ss 337 (1), 6.75 The disclosure provisions within POCA and the Terrorism Act protect
338(4) persons making SARs from any potential breaches of confidentiality,
Terrorism Act s 21B
whether imposed under contract, statute (for example, the Data
Protection Act), or common law. These provisions apply to those
inside and outside the regulated sector, and include reports that are
made voluntarily, in addition to reports made in order to fulfil reporting
obligations. The NCA has established a SARs Confidentiality Hotline
(0800 234 6657) to report breaches from reporters and end-users alike.
6.78 Where the firm knows that the funds in an account derive from criminal
activity, or that they arise from fraudulent instructions, the account
must be frozen. Where it is believed that the account holder may be
involved in the fraudulent activity that is being reported, then the
account may need to be frozen, but the need to avoid tipping off would
have to be considered.
6.80 Where the firm does not wish to make the payment requested by a
customer, it should notify the NCA of this fact and request them to
identify any information that they are prepared to allow the firm to
disclose to the court and to the customer in any proceedings brought by
the customer to enforce payment. The NCA should be reminded that:
➢ the court may ask him to appear before it to justify his position if
he refuses to consent to adequate disclosure; and
➢ the refusal to allow adequate disclosure is likely to make it apparent
to the customer that the firm’s reasons for refusing payment are
due to a law enforcement investigation.
6.82 In any proceedings that might be brought by the customer, the firm may
only disclose to the court and the other side such information as has
been consented to by the investigating officer or the court.
Constructive trusts
180
6.83
The duty to report suspicious activity and to avoid tipping off could, in
certain circumstances, lead to a potential conflict between the reporting
firm’s responsibilities under the criminal law and its obligations under
the civil law, as a constructive trustee, to a victim of a fraud or other
crimes.
6.84
A firm’s liability as a constructive trustee under English law can arise
when it either knows that the funds held by the firm do not belong to its
customer, or is on notice that such funds may not belong to its customer.
The firm will then take on the obligation of a constructive trustee for the
rightful owner of the funds. If the firm pays the money away other than
to the rightful owner, and it is deemed to have acted dishonestly in doing
so, it may be held liable for knowingly assisting a breach of trust.
6.85
Having a suspicion that it considers necessary to report under the money
laundering or terrorist financing legislation may, in certain
circumstances, indicate that the firm knows that the funds do not belong
to its customer, or is on notice that they may not belong to its customer.
However, such suspicion may not itself be enough to cause a firm to
become a constructive trustee. Case law suggests that a constructive
trust will only arise when there is some evidence that the funds belong
to someone other than the customer.
6.86
If, when making a suspicious activity report, a firm knows that the funds
which are the subject of the report do not belong to its customer, or has
doubts that they do, this fact, and details of the firm’s proposed course
of action, should form part of the report that is forwarded to the NCA.
6.87
If the customer wishes subsequently to withdraw or transfer the funds,
the firm should, in the first instance, contact the NCA for consent.
Consent from the NCA will, however, not necessarily protect the firm
from the risk of committing a breach of constructive trust by transferring
funds. In situations where the assistance of the court is necessary, it is
open to a firm to apply to the court for directions as to whether the
customer’s request should be met. However, the powers of the court are
discretionary, and should only be used in cases of real need. That said,
it is unlikely that a firm acting upon the direction of a court would later
be held to have acted dishonestly such as to incur liability for breach of
constructive trust.
6.88
Although each case must be considered on its facts, the effective use of
customer information, and the identification of appropriate underlying
beneficial owners, can help firms to guard against a potential
constructive trust suit arising out of fraudulent misuse or
misappropriation of funds.
6.89
It should be noted that constructive trust is not a concept recognised in
Scots law.
Data Protection - Subject Access Requests, where a suspicion report has been made
181
6.90 Occasionally, a Subject Access Request under the Data Protection Act
will include within its scope one or more money laundering/terrorist
financing reports which have been submitted in relation to that
customer. Although it might be instinctively assumed that to avoid
tipping off there can be no question of ever including this information
when responding to the customer, an automatic assumption to that
effect must not be made, even though in practice it will only rarely be
decided that it is appropriate to include it. However, all such requests
must be carefully considered on their merits in line with the principles
below.
Data Protection Act, s 7 6.92 On making a request in writing (a Subject Access Request) to a data
controller (i.e. any organisation that holds personal data), an individual
is normally entitled to:
Data Protection Act, s 6.93 Section 29 of the Data Protection Act provides that personal data are
29 exempt from disclosure under section 7 of the Act in any case where
the application of that provision would be likely to prejudice the
prevention or detection of crime or the apprehension or prosecution of
offenders. However, even when relying on an exemption, data
controllers (i.e., firms) should provide as much information as they can
in response to a Subject Access Request.
6.96 Each Subject Access Request must be considered on its own merits in
determining whether, in a particular case, the disclosure of a suspicion
report is likely to prejudice an investigation and, consequently,
constitute a tipping-off offence. In determining whether the section 29
exemption applies, it is legitimate to take account of the fact that
182
6.97 In cases where the fact that a disclosure had been made had previously
been reported in legal proceedings, or in a previous investigation, and
the full contents of such a disclosure had been revealed, then it is less
likely that the exemption under section 29 would apply. However,
caution should be exercised when considering disclosures that have
been made in legal proceedings for the purposes of the section 29
exemption, as often the disclosure will have been limited strictly to
matters relevant to those proceedings, and other information contained
in the original report may not have been revealed.
Data Protection Act s 6.99 Firms should bear in mind that there is a statutory deadline for
7(8) responding to Subject Access Requests of 40 days from their receipt by
the firm. The timing of enquiries to the NCA, or any other party, to
obtain further information, or for guidance on whether disclosure
would be likely to prejudice an investigation, should be made with this
deadline in mind.
183
CHAPTER 7
➢ Relevant law/regulation
▪ Regulation 21, 24
▪ POCA ss 327-329, 330 (6),(7), 333, 334(2)
▪ Terrorism Act ss 18, 21A
▪ SYSC 6.3.7 (1) G
▪ TC, Chapter 1
▪ Financial sanctions legislation
➢ Core obligations
▪ Relevant employees should be
• made aware of the risks of money laundering and terrorist financing, the relevant
legislation, and their obligations under that legislation
• made aware of the identity and responsibilities of the firm’s nominated officer and
MLRO
• trained in the firm’s procedures and in how to recognise and deal with potential
money laundering or terrorist financing transactions or activity
▪ Staff training should be given at regular intervals, and details recorded
▪ MLRO is responsible for oversight of the firm’s compliance with its requirements in respect
of staff training
▪ The relevant director or senior manager has overall responsibility for the establishment and
maintenance of effective training arrangements
➢ Actions required, to be kept under regular review
▪ Provide appropriate training to make relevant employees aware of money laundering and
terrorist financing issues, including how these crimes operate and how they might take place
through the firm
▪ Ensure that relevant employees are provided with information on, and understand, the legal
position of the firm and of individual members of staff, and of changes to these legal positions
▪ Consider providing relevant employees with case studies and examples related to the firm’s
business
▪ Train relevant employees in how to operate a risk-based approach to AML/CTF
7.1 One of the most important controls over the prevention and detection of
money laundering is to have staff who are alert to the risks of money
laundering/terrorist financing and well trained in the identification of
unusual activities or transactions which may prove to be suspicious.
7.2 The effective application of even the best designed control systems can
be quickly compromised if the staff applying the systems are not
adequately trained. The content and effectiveness of such training will
therefore be important to the success of the firm’s AML/CTF strategy.
POCA ss 327-329, 7.4 Under POCA and the Terrorism Act, individual members of staff face
334 (2) criminal penalties if they are involved in money laundering or terrorist
Terrorism Act
ss 18, 21A financing, or if they do not report their knowledge or suspicion of money
laundering or terrorist financing where there are reasonable grounds for
their knowing or suspecting such activity. It is important, therefore, that
staff are made aware of these obligations, and are given training in how
to discharge them.
SYSC 3.1.6 R 7.5 The FCA requires regulated firms to employ personnel with the skills,
SYSC 5.1.1 R knowledge and expertise necessary for the discharge of the
responsibilities allocated to them.
TC 2.1 7.6 Firms carrying out retail activities that are subject to TC are responsible
SYSC 3.1.9 G for ensuring that
SYSC 5.1.4A G
Regulation 21(1) 7.7 Where appropriate with regard to the size and nature of its business, a
firm must carry out screening of relevant employees and agents
appointed by the firm, both before the appointment is made, and at
regular intervals during the course of the appointment.
7.10 Where an employee is found to have breached the firm’s internal rules,
or requirements imposed by the FCA, there may be an obligation on the
185
firm to report such a breach to the FCA, rather than only dealing with
the matter internally.
Regulation 24(1) 7.11 The obligations on senior management and the firm in relation to staff
awareness and staff training address each requirement separately. The
ML Regulations require firms to take appropriate measures to ensure
that relevant employees and agents are made aware of the law relating
to money laundering and terrorist financing (and to data protection,
insofar as relevant to the implementation of the ML Regulations), and
that they are regularly given training in how to recognise and deal with
transactions and other activities or situations which may be related to
money laundering or terrorist financing.
Regulation 7.12 In determining the nature and extent of such training measures, firms
24(1)(b),(3)(a) must take account of the nature and size of their businesses, and the
nature and extent of the risks of money laundering and terrorist
financing to which their businesses is subject. Records of the training
measures taken must be kept.
SYSC 6.3.9 (1) R 7.13 The FCA specifically requires the MLRO to have responsibility for
SYSC 6.3.7 (1) G oversight of the firm’s AML systems and controls, which include
appropriate training for the firm’s employees in relation to money
laundering.
POCA, s 330 (6) and 7.14 Where a staff member is found to have had reasonable grounds for
(7) knowing or suspecting money laundering, but failed to make a
disclosure, he will have a defence under POCA if he does not know or
suspect, and has not been provided with AML training by his employer.
No such defence is available under the Terrorism Act.
Regulation 24 7.15 A successful defence by a staff member under POCA may leave the firm
open to prosecution or regulatory sanction for not having adequate
training and awareness arrangements. Firms should therefore not only
obtain acknowledgement from the individual that they have received the
necessary training, but should also take steps to assess its effectiveness.
Regulation 19 7.16 Senior management must be aware of their obligations under the ML
Regulations to establish appropriate policies, controls and procedures to
mitigate and manage effectively the risks of money laundering and
terrorist financing identified in the firm’s risk assessment. It is an
offence not to have appropriate policies, controls and procedures in
place, whether or not money laundering or terrorist financing has taken
place.
Regulation 21(1)(a) 7.17 Where appropriate with regard to the size and nature of its business, a
firm must appoint a member of its board of directors (or equivalent
management body) or of its senior management as the officer
responsible for the firm’s compliance with the ML Regulations.
186
SYSC 4.4.7(1) 7.18 For firms within scope of the Senior Managers Regime, a senior
SYSC 6.3.8 R manager must be allocated the prescribed responsibility for the firm’s
SYSC 6.3.9 R
policies and procedures for countering the risk that the firm might be
used to further financial crime. The MLRO is responsible for oversight
of the firm’s compliance with its requirements in respect of training,
including taking reasonable steps to ensure that the firm’s systems and
controls include appropriate training for employees in relation to money
laundering and terrorist financing. Awareness and training
arrangements specifically for senior management, the MLRO and the
nominated officer should therefore also be considered.
7.19 As noted in paragraph 1.41, the relationship between the MLRO and the
SMF manager(s) allocated the prescribed responsibility for the firm’s
policies and procedures for countering the risk that the firm might be
used to further financial crime is one of the keys to an effective
AML/CTF regime. It is important that this relationship is clearly
defined and documented, so that each knows the extent of his, and the
other’s, role and day to day responsibilities. It is permitted, but not
required, for the relevant SMF manager(s) also to be appointed as
MLRO.
Regulation 21(1)(a) 7.20 Where the firm is required to appoint a board member or a member of
its senior management as the officer responsible for the firm’s
compliance with the ML Regulations, it is important that this individual,
the MLRO and the SMF Manager allocated the prescribed responsibility
for the firm’s policies and procedures are all clear as to the
responsibilities of each. Firms should ensure, in consultation with their
normal regulatory contact, that the FCA understands how particular
responsibilities in this area are allocated or shared.
7.21 Firms should take reasonable steps to ensure that relevant employees
are aware of:
7.22 The firm’s approach to training should be built around ensuring that the
content and frequency of training reflects the risk assessment of the
products and services of the firm and the specific role of the individual.
Responsibilities of staff
7.23 Staff should be made aware of their personal responsibilities and those
of the firm at the start of their employment. These responsibilities
should be documented in such a way as to enable staff to refer to them
as and when appropriate throughout their employment. In addition,
187
POCA, ss327 – 329, 7.25 There are several sets of offences under POCA and the Terrorism Act
330-332 which directly affect staff – the various offences of money laundering
Terrorism Act ss18,
21A or terrorist financing, failure to report possible money laundering or
terrorist financing, tipping off, and prejudicing an investigation.
POCA, ss327 – 329 7.26 The offences of involvement in money laundering or terrorist financing
Terrorism Act s18 apply to all staff, whether or not the firm is in the regulated sector. This
would include staff of general insurance firms and mortgage
intermediaries. The offences have no particular application to those
engaged in specific customer-related activities – that is, they also apply
to back office staff and contractors.
POCA ss330-332 7.27 The offence under POCA and the Terrorism Act of failing to report
Terrorism Act s21A applies to staff in the regulated sector, and to all nominated officers,
whether in the regulated sector or not. Although general insurance firms
and mortgage intermediaries are not in the regulated sector, if they have
opted to appoint a nominated officer, the obligations on nominated
officers apply to these appointees.
POCA s333 7.28 Once a report has been made to the firm’s nominated officer, it is an
offence to make any further disclosure that is likely to prejudice an
investigation.
7.29 The firm should train staff, in particular, on how its products and
services may be used as a vehicle for money laundering or terrorist
financing, and in the firm’s procedures for managing this risk. They
will also need information on how the firm may itself be at risk of
prosecution if it processes transactions without the consent of the NCA
where a SAR has been made.
7.35 Staff should also be on the lookout for such things as:
7.36 Staff awareness and training programmes may also include the nature
of terrorism funding and terrorist activity, in order that staff are alert to
customer transactions or activities that might be terrorist-related.
190
7.37 Examples of activity that might suggest to staff, when assessed in the
context of the overall risk presented by the customer, that there could be
potential terrorist activity include:
Regulation 24(1)(b) 7.45 Whatever the approach to training, it is vital to establish comprehensive
records (see paragraph 8.24) to monitor who has been trained, when they
received the training, the nature of the training given and its
effectiveness.
192
CHAPTER 8
RECORD KEEPING
➢ Relevant law/regulation
▪ Data Protection Act 1998
▪ Regulations 18, 19 and 39-41
▪ SYSC Chapter 3
➢ Core obligations
▪ Firms must retain:
• copies of, or references to, the evidence they obtained of a customer’s identity, for
five years after the end of the customer relationship
• details of customer transactions for five years from the date of the transaction
▪ Firms should retain:
• details of actions taken in respect of internal and external suspicion reports
• details of information considered by the nominated officer in respect of an internal
report where no external report is made
▪ Firms must delete any personal data relating to CDD and client transactions in accordance
with Regulation 40
➢ Actions required, to be kept under regular review
▪ Firms should maintain appropriate systems for retaining records
▪ Firms should maintain appropriate systems for making records available when required,
within the specified timescales
Regulation 19(1)(a) 8.1 This chapter provides guidance on appropriate record keeping
procedures that will meet a firm’s obligations in respect of the
prevention of money laundering and terrorist financing. There are
general obligations on firms to maintain appropriate records and
controls more widely in relation to their business; this guidance is not
intended to replace or interpret such wider obligations.
8.2 Record keeping is an essential component of the audit trail that the ML
Regulations and FCA Rules seek to establish in order to assist in any
financial investigation and to ensure that criminal funds are kept out of
the financial system, or if not, that they may be detected and confiscated
by the authorities.
Regulation 18(4), 8.3 As well as legislating for record keeping in relation to customer
19(1)(b), 39(2)(b) identification, and transactions with customers, there are obligations on
firms to document their risk assessment, and their policies, controls and
procedures. See paragraphs 1.54 and 2.3. A firm is also required to
have written arrangements with any third party on which they rely to
apply customer due diligence measures.
Regulation 40 8.4 Firms must retain records concerning customer identification and
SYSC 3.2.20R transactions as evidence of the work they have undertaken in complying
SYSC 6.3.1 R
with their legal and regulatory obligations, as well as for use as evidence
in any investigation conducted by law enforcement. FCA-regulated
193
firms must take reasonable care to make and keep adequate records
appropriate to the scale, nature and complexity of their businesses.
Regulation 39 8.5 Where a firm has an appointed representative, it must ensure that the
representative complies with the record keeping obligations under the
ML Regulations. This principle would also apply where the record
keeping is delegated in any way to a third party (such as to an
administrator or an introducer).
8.6 The precise nature of the records required is not specified in the legal
and regulatory regime. The objective is to ensure that a firm meets its
obligations and that, in so far as is practicable, in any subsequent
investigation the firm can provide the authorities with its section of the
audit trail.
➢ Customer information
➢ Transactions
➢ Internal and external suspicion reports
➢ MLRO annual (and other) reports
➢ Information not acted upon
➢ Training and compliance monitoring
➢ Information about the effectiveness of training
Customer information
Regulation 40(2) 8.8 In relation to the evidence of a customer’s identity, firms must keep a
copy of any documents or information it obtained to satisfy the CDD
measures required under the ML Regulations. Where a firm has received
a confirmation of identity certificate, this certificate will in practice be
the evidence of identity that must be kept. Some documents which may
be used for evidence of identification are more sensitive than others (for
example, Armed Forces Cards and Firearms certificates), and firms
should deal with such evidence with care.
8.9 When a firm has concluded that it should treat a client as financially
excluded for the purposes of customer identification, it should keep a
record of the reasons for doing so.
Regulation 8.12 Records of identification evidence must be kept for a period of five
40(3)(b)(ii) years after the business relationship with the customer has ended, i.e.
the closing of the account or accounts.
194
Regulation 40(5) 8.13 Upon the expiry of the five year period referred to in paragraph 8.12,
firms must delete any personal data unless:
Regulation 40(6) 8.14 A firm which is relied on by another firm for the purposes of customer
due diligence must keep the records referred to in paragraph 8.8 for five
years from the ending of the business relationship with the customer.
8.15 Where documents verifying the identity of a customer are held in one
part of a group, they do not need to be held in duplicate form in another.
The records do, however, need to be accessible to the nominated officer
and the MLRO and to all areas that have contact with the customer, and
be available on request, where these areas seek to rely on this evidence,
or where they may be called upon by law enforcement to produce them.
Transactions
8.17 All transactions carried out on behalf of or with a customer in the course
of relevant business must be recorded within the firm’s records.
Transaction records in support of entries in the accounts, in whatever
form they are used, e.g. credit/debit slips, cheques, should be maintained
in a form from which a satisfactory audit trail may be compiled where
necessary, and which may establish a financial profile of any suspect
account or customer.
Regulation 8.18 Records of all transactions relating to a customer must be retained for a
40(3)(a)(b)(i) period of five years from:
Regulation 40(4) But: a firm is not required to retain records relating to transactions
occurring in a business transaction relationship for more than 10 years.
be kept for five years after the investment has been fully sold or funds
disbursed.
Regulation 40(5) 8.20 Upon the expiry of the period referred to in paragraph 8.18, firms must
delete any personal data unless:
8.23 Records of all internal and external reports should be retained for at least
five years from the date the report was made.
Other
Regulation 21(8),(9) 8.25 A firm must establish and maintain systems which enable it to respond
fully and rapidly to enquiries from financial investigators accredited
under s3 of POCA, persons acting on behalf of the Scottish Ministers
in their capacity as an enforcement authority under the Act or
constables, relating to:
8.26 Most firms have standard procedures which they keep under review, and
will seek to reduce the volume and density of records which have to be
stored, whilst still complying with statutory requirements. Retention
may therefore be:
Location
8.29 The ML Regulations do not state where relevant records should be kept,
but the overriding objective is for firms to be able to retrieve relevant
information without undue delay.
8.30 Where identification records are held outside the UK, it is the
responsibility of the UK firm to ensure that the records available do in
fact meet UK requirements. No secrecy or data protection legislation
should restrict access to the records either by the UK firm freely on
request, or by UK law enforcement agencies under court order or
relevant mutual assistance procedures. If it is found that such
restrictions exist, copies of the underlying records of identity should,
wherever possible, be sought and retained within the UK.
8.31 Firms should take account of the scope of AML/CTF legislation in other
countries, and should ensure that group records kept in other countries
that are needed to comply with UK legislation are retained for the
required period.
original documents are kept to assist in forensic analysis. This can also
provide evidence for firms when conducting their own internal
investigations. However, this is not a requirement of the AML
legislation, and retaining electronic/digital copies may be a more
realistic storage method.
Regulation 86(1) 8.34 Where the record keeping obligations under the ML Regulations are not
observed, a firm or person is open to prosecution, including
imprisonment for up to two years and/or a fine, or regulatory censure.
198
GLOSSARY OF TERMS
Term/expression Meaning
Annex I Financial An undertaking (other than a credit institution or a consumer credit institution)
Institution that carries out one or more of the operations (other than trading on their own
account where the undertaking’s only customers are group companies) listed on
Schedule 2 to the ML Regulations.
[ML Regulations 10(2)(a), 54(2)]
Appropriate person Someone in a position of responsibility, who knows, and is known by, a customer,
and may reasonably confirm the customer’s identity. It is not possible to give a
definitive list of such persons, but the following may assist firms in determining
who is appropriate in any particular case:
➢ The Passport Office has published a list of those who may countersign
passport applications: see
www.direct.gov.uk/en/TravelAndTransport/Passports/Applicationinfor
mation/DG_174151
➢ Others might include members of a local authority, staff of a higher or
further education establishment, or a hostel manager.
Beneficial owner(s) The individual who ultimately owns or controls the customer on whose behalf a
transaction or activity is being conducted. Special rules have been made for bodies
corporate, partnerships, trusts, entities or arrangements that administer and
distribute funds and estates of deceased persons.
Controlled function A function relating to the carrying on of a regulated activity by a firm which is
specified under s 59 of FSMA, in FCA’s table of controlled functions.
Criminal property Property which constitutes a person’s benefit from criminal conduct or which
represents such a benefit (in whole or part and whether directly or indirectly), and
the alleged offender knows or suspects that the property constitutes or represents
such a benefit. [POCA s 340 (3)]
Criminal conduct Conduct which constitutes an offence in any part of the United Kingdom, or
would constitute an offence in any part of the United Kingdom if it occurred there.
[POCA s 340 (2)]
EU Fourth Money The Fourth Money Laundering Directive, adopted in 2015 (2015/849EC),
Laundering updated European Community legislation in line with the revised FATF 40
Directive Recommendations, published in 2012. It repealed and replaced the Third
Directive.
FCA-regulated firm A firm holding permission from the FCA under FSMA, Part 4A, to carry on
certain of the activities listed in FSMA, Schedule 2.
Guidance Paper 5 Guidance Paper No 5: Guidance paper on anti-money laundering and combating
the financing of terrorism, issued by IAIS in October 2004.
Identification Ascertaining the name of, and other relevant information about, a customer or
beneficial owner.
IOSCO Principles IOSCO paper ‘Principles on Client Identification and Beneficial Ownership for
paper the Securities Industry’, published May 2004.
Mind and Those individuals who, individually or collectively, exercise practical control
management over a non-personal entity.
200
ML Regulations The Money Laundering, Terrorist Financing and Transfer of Funds (Information
on the Payer) Regulations 2017 [SI 2017/692].
Money service An undertaking which by way of business operates a currency exchange office,
business transmits money (or any representations of monetary value) by any means or
which cashes cheques which are made payable to customers.
Nominated officer A person in a firm or organisation nominated by the firm or organisation to receive
disclosures under Regulation 21(5) and s 330 of POCA from others within the
firm or organisation who know or suspect that a person is engaged in money
laundering. Similar provisions apply under the Terrorism Act.
Occasional Any transaction which is not carried out as part of a business relationship.
transaction
[ML Regulation 3 (1)]
Politically exposed An individual who is or has, at any time in the preceding year, been entrusted with
person prominent public functions, other than as a middle ranking or more junior official.
Regulated Financial Services and Markets Act 2000 (Regulated Activities) Order 2001 (SI
Activities Order 2001/544).
Regulated activity Activities set out in the Regulated Activities Order, made under s 22 and Schedule
2 of FSMA and not excluded by the Financial Services and Markets Act 2000
201
Regulated market A multilateral system operated and/or managed by a market operator, which
brings together or facilitates the bringing together of multiple third-party buying
and selling interests in financial instruments - in the system and in accordance
with its non-discretionary rules - in a way that results in a contract, in respect of
the financial instruments admitted to trading under its rules and/or systems, and
which is regulated and functions regularly [and in accordance with the provisions
of Articles 36-47 of MiFID].
Regulated sector Persons and firms which are subject to the ML Regulations.
Senior management An officer or employee of a firm in the regulated sector with sufficient knowledge
of the firm’s money laundering and terrorist financing risk exposure, and of
sufficient authority, to take decisions affecting its risk exposure.
[ML Regulation19(7)]
Senior manager An individual, other than a director (or equivalent), who is employed by the firm,
and to whom the Board (or equivalent) or a member of the Board, has given
responsibility, either alone or jointly with others, for management and
supervision.
Terrorism Act Terrorism Act 2000, as amended by the Anti-terrorism, Crime and Security Act
2001.
Terrorist property ➢ Money or other property which is likely to be used for the purposes of
terrorism (including any resources of a proscribed organisation); or
➢ Proceeds of the commission of acts of terrorism; or
➢ Proceeds of acts carried out for the purposes of terrorism
Tipping off A tipping-off offence is committed if a person knows or suspects that a disclosure
falling under POCA ss 337 or 338 has been made, and he makes a disclosure
which is likely to prejudice any investigation which may be conducted following
the disclosure under s 337 or s 338.
[POCA, s 333]
202
Abbreviation
FCA Financial Conduct Authority, the UK regulator of the financial services industry
NCA The National Crime Agency, the UK’s financial intelligence unit.
SMR The FCA supervisory regime (the Senior Manager Regime) applying to staff
holding Senior Management Functions in certain categories of firm
APPENDIX I
ANTI-MONEY LAUNDERING RESPONSIBILITIES IN THE UK
• Prosecutes crime,
money laundering and
terrorism offences in
England and Wales
Procurator Fiscal
• Prosecutes crime,
money laundering and
terrorism offences in
Scotland
Public Prosecution
Service of Northern
Ireland
• Prosecutes crime,
money laundering and
terrorism offences in
Northern Ireland
206
APPENDIX II
SUMMARY OF UK LEGISLATION
1. The Proceeds of Crime Act 2002 (POCA) consolidates and extends the existing UK legislation
regarding money laundering. The legislation covers all crimes and any dealing in criminal property,
with no exceptions and no de minimis. POCA, as amended:
• empowers the NCA, to conduct an investigation38 to discover whether a person holds criminal
assets and to recover the assets in question.
o a criminal offence45 for persons working in the regulated sector of failing to make a
report where they have knowledge or suspicion of money laundering, or reasonable
grounds for having knowledge or suspicion, that another person is laundering the
proceeds of any criminal conduct, as soon as is reasonably practicable after the
information came to their attention in the course of their regulated business activities
o a criminal offence46 for anyone to take any action likely to prejudice an investigation
by informing (e.g., tipping off) the person who is the subject of a suspicion report, or
37
2002 ch 29
38
section 341(2)
39
section 345
40
section 352
41
section 357
42
section 363
43
section 370 – see also Terrorism Act s38A
44
sections 327 - 329
45
sections 330 and 331
46
section 333A
207
anybody else, that a disclosure has been made to a nominated officer or to the NCA, or
that the police or customs authorities are carrying out or intending to carry out a money
laundering investigation.
Note: An offence is not committed if a person reports the property involved to the
National Crime Agency (NCA) or under approved internal arrangements, either
before the prohibited act is carried out, or as soon afterwards as is reasonably
practicable.
o for failing to make a report of suspected money laundering of five years’ imprisonment
and/or an unlimited fine.
Terrorism Act 200049, and the Anti-terrorism, Crime and Security Act 200150
2. The Terrorism Act establishes a series of offences related to involvement in arrangements for
facilitating, raising or using funds for terrorism purposes. The Act:
• makes it a criminal offence for any person not to report the existence of terrorist property where
there are reasonable grounds for knowing or suspecting the existence of terrorist property
• makes it a criminal offence51 for anyone to take any action likely to prejudice an investigation
by informing (i.e. tipping off) the person who is the subject of a suspicion report, or anybody
else, that a disclosure has been made to a nominated officer or to the NCA, or that the police or
customs authorities are carrying out or intending to carry out a terrorist financing investigation
• grants52 a power to the law enforcement agencies to make an account monitoring order, similar
in scope to that introduced under POCA
47
section 341(2)(b)
48
section 366
49
2000 ch 11
50
2001 ch 24
51
section 39
52
section 38A and Schedule 6A
208
o the maximum penalty for failure to report under the circumstances set out above is five
years’ imprisonment, and/or a fine.
o the maximum penalty for the offence of actual money laundering is 14 years’
imprisonment, and/or a fine.
3. The definition of terrorist property, involvement with which is an offence, includes resources of a
proscribed organisation. The primary source of information on proscribed organisations, including
up-to-date information on aliases, is the Home Office. A list of organisations which have been
proscribed under the Terrorism Act can be found at: www.homeoffice.gov.uk/security/terrorism-
and-the-law/terrorism-act/proscribed-groups?version=1.
4. The Anti-terrorism, Crime and Security Act 2001 gives the authorities power to seize terrorist cash,
to freeze terrorist assets and to direct firms in the regulated sector to provide the authorities with
specified information on customers and their (terrorism-related) activities. Additionally under the
Anti-Terrorism, Crime and Security Act 2001, HM Treasury may issue a freezing order in respect
of individuals, entities or organisations outside of the UK where there is reasonable belief that they
have taken or are likely to take action which is:
5. Schedule 7 to the CTA gives power to HM Treasury to issue directions to firms in the financial
sector. The kinds of requirement that may be imposed by a direction under these powers
relate to:
6. The requirements to carry out CDD measures and ongoing monitoring build on the similar
obligation under the ML Regulations. The requirements for systematic reporting and limiting or
ceasing business are new.
7. The Treasury may give a direction if one or more of the following conditions is met in relation to a
non-EEA country:
• that the Financial Action Task Force has advised that measures should be taken in
relation to the country because of the risk of terrorist financing or money laundering
activities being carried on
(a) in the country,
(b) by the government of the country, or
(c) by persons resident or incorporated in the country.
209
• that the Treasury reasonably believe that there is a risk that terrorist financing or money
laundering activities are being carried on
(a) in the country,
(b) by the government of the country, or
(c) by persons resident or incorporated in the country,
and that this poses a significant risk to the national interests of the UK.
• that the Treasury reasonably believe that
(a) the development or production of nuclear, radiological, biological or chemical weapons
in the country, or
(b) the doing in the country of anything that facilitates the development or production of
any such weapons,
poses a significant risk to the national interests of the UK.
Financial sanctions
8. HM Treasury maintains a Consolidated List of targets listed by the United Nations, European Union
and United Kingdom under legislation relating to current financial sanctions regimes. This list
includes all individuals and entities that are subject to financial sanctions in the UK. This list can be
found at: http://www.hm-treasury.gov.uk/d/sanctionsconlist.pdf
9. It is a criminal offence to make payments, or to allow payments to be made, to targets on the list
maintained by HM Treasury. This would include dealing direct with targets, or dealing with targets
through intermediaries (such as lawyers or accountants). Firms therefore need to have an appropriate
means of monitoring payment instructions to ensure that no payments are made to targets or their
agents. In the regulated sector this obligation applies to all firms, and not just to banks.
10. Guidance on compliance with the financial sanctions regime is set out in paragraphs 5.3.54 – 5.3.61.
11. The ML Regulations specify arrangements which must be in place within firms within the scope of
the Regulations, in order to prevent operations relating to money laundering or terrorist financing.
53
SI 2017/692
54
Regulation 8
210
• Bureaux de change, cheque encashment centres and money transmission services (money
service businesses);
• Casinos;
• Dealers in high-value goods (including auctioneers) who accept payment in cash of €10,000 or
more (either single or linked transactions);
• Estate agents, legal and accountancy services providers, when undertaking relevant business.
13. The ML Regulations require firms to appoint a nominated officer to receive internal reports relating
to knowledge or suspicion of money laundering.
14. Firms within the scope of the ML Regulations are required to establish and maintain policies,
controls and procedures to mitigate and manage effectively the risks of money laundering and
terrorist financing identified in a risk assessment undertaken by the firm. These policies, controls
and procedures cover:
15. The FCA may55 institute proceedings (other than in Scotland) for offences under prescribed
regulations relating to money laundering. This power is not limited to firms or persons regulated by
the FCA. Whether a breach of the ML Regulations has occurred is not dependent on whether money
laundering has taken place: firms may be sanctioned for not having adequate AML/CTF systems.
Where failure to comply with any of the requirements of the ML Regulations constitutes an offence,
the punishment is a maximum of two years’ imprisonment, or a fine, or both.
16. FSMA makes the prevention of financial crime integral to the discharge of the FCA’s functions and
fulfilment of its objectives. This means that the FCA is concerned that the firms it regulates and
their senior management are aware of the risk of their businesses being used in connection with the
commission of financial crime, and take appropriate measures to prevent financial crime, facilitate
its detection and monitor its incidence.
17. Firms may only engage in a regulated activity56 in the UK if it is a regulated or exempt person. A
person can become a regulated person as a result of: (a) being given a “permission” by the FCA
under Part 4A of FSMA (known as a “Part 4A permission”); or (b) by qualifying for authorisation
under FSMA itself. As an example of the latter, an EEA firm establishing a branch in, or providing
cross-border services into, the UK can qualify for regulation under FSMA Schedule 3 and, as a result,
be given a permission; although such firms are, generally, regulated by their home state regulator,
they are regulated by the FCA in connection with the regulated activities carried on in the UK.
55
FSMA, s 402(1)(b)
56
FSMA s22, Schedule 2, and the Regulated Activities Order. These activities are substantially the same as set
out in Regulation [2 (2)(a)].
211
18. A firm may only carry on regulated business in accordance with its permission. A firm with a Part
4A permission may apply to the FCA to vary its permission, add or remove regulated activities, to
limit these activities (for example, the types of client with or for whom the firm may carry on an
activity) or to vary the requirements on the firm itself. Before giving or varying a Part 4A permission,
the FCA must ensure that the person/firm will satisfy and continue to satisfy the threshold conditions
in relation to all of the regulated activities for which he has or will have permission. If a firm is
failing, or is likely to fail, to satisfy the threshold conditions, the FCA may vary or cancel a firm’s
permission.
19. Threshold condition 5 (Suitability) requires the firm to satisfy the FCA that it is “fit and proper” to
have Part 4A permission having regard to all the circumstances, including its connection with other
persons, the range and nature of its proposed (or current) regulated activities and the overall need to
be satisfied that its affairs are and will continue to be conducted soundly and prudently. Hence, the
FCA “will consider whether a firm is ready, willing and organised to comply, on a continuing basis,
with the requirements and standards under the regulatory system which apply to the firm, or will
apply to the firm, if it is granted Part 4A permission, or a variation of its permission”. The FCA will
also have regard to all relevant matters, whether arising in the UK or elsewhere. In particular, the
FCA will consider whether a firm “has in place systems and controls against money laundering of
the sort described in SYSC 6.1.1 R to SYSC 6.3.10 G”. (COND 2.5.7G)
20. SYSC requires FCA-regulated firms (subject to some specified exceptions: see paragraph 1.35
above) to have effective systems and controls for countering the risk that a firm might be used to
further financial crime, and specific provisions regarding money laundering risks. It also requires
such firms to ensure that approved persons exercise appropriate responsibilities in relation to these
AML systems and controls. Parts of the FCA Handbook that are relevant to AML procedures,
systems and controls, include:
➢ APER - Principle 5 requires an approved person to take reasonable steps to ensure that the
business of the firm for which he is responsible is organised so that it is controlled
effectively57;
➢ COND – In relation to its ongoing assessment as to whether a firm meets the fitness and
properness criterion, a firm is specifically required to have in place systems and controls
against money laundering of the sort described in SYSC 6.1.1 R to SYSC 6.3.10 G58;
➢ DEPP – When considering whether to take disciplinary action in respect of a breach of the
money laundering rules in SYSC 3.2 or SYSC 6.3 the FCA will have regard to whether a firm
has followed relevant provisions in the JMLSG guidance for the financial sector59;
➢ PRIN - Principle 3 requires a firm to take reasonable care to organise and control its affairs
responsibly and effectively, with adequate risk management systems 60; and
➢ SYSC - Chapters 2, 3 and 6 set out particular requirements relating to senior management
responsibilities, and for systems and controls processes, including specifically addressing the
risk that the firm may be used to further financial crime. SYSC 6.3.1 R to SYSC 6.3.10 G (and
SYSC 6.3) cover systems and controls requirements in relation to money laundering61.
57
APER 2.1.2P
58
COND 2.5.7(10) G
59
DEPP 6.2.3 G
60
PRIN 2.1.1 R
61
SYSC 2 and 3
212
21. The FCA Handbook of rules and guidance contains high level standards that apply, with some
exceptions, to all FCA-regulated firms, (for example, the FCA Principles for Businesses, COND and
SYSC) and to all approved persons (for example, the Statements of Principle and Code of Practice
for Approved Persons). SYSC sets out particular rules relating to senior management
responsibilities, and for systems and controls processes. Some of these rules focus on the
management and control of risk62, and specifically require appropriate systems and controls over the
management of money laundering risk63.
22. The FCA has also issued a publication “Financial Crime: A Guide for Firms” which provides
practical assistance and information for firms on actions they can take to counter the risk that they
might be used to further financial crime.
62
SYSC 6.1.1 R
63
SYSC 6.3.7 G